[Zeek] [EXT] Question on Zeek SMB Logs and action "SMB::FILE OPEN"
security devops
jackjill77777 at gmail.com
Tue Jun 16 22:55:47 PDT 2020
Thanks Mark.
I have tested this scenario from 2 clients - one a VM running Win10 (1909)
and the other a physical machine. Both displayed the same symptoms on Zeek
even with AutoRun/ Play disabled.
In the "bro_smb_files" event type, an action of "SMB::FILE OPEN" is
observed for all the executables in the folder.
In the "bro_files" event type, these files are extracted.
Referencing previous queries on action "SMB::FILE OPEN", is it possible
that this action caused executables to be extracted "on the fly"?
http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-April/013049.html
On Tue, 16 Jun 2020 at 19:39, Mark I Fernandez <mfernandez at mitre.org> wrote:
> For the “SMB::FILE OPEN” action, I believe you would see this action when
> viewing a network shared folder. The SMB::FILE OPEN action applies to both
> files and directories, and I believe there is a flag in one of the SMB
> headers that specifies if it is a folder.
>
>
>
> For the “extracted files” issue, that sounds strange, but if the files
> appear in the “extracted” folder, then those executables are being
> transferred across the wire. I don’t think Zeek could collect those files
> otherwise. The only thing I can think of at the moment is that Microsoft
> Windows has a feature called AutoRun or AutoPlay. Best practice is to
> disable it, but if it is enabled on your Windows machines, then perhaps it
> could explain the behavior.
>
>
>
> Microsoft article on how to disable AutoRun/AutoPlay:
>
> https://docs.microsoft.com/en-us/windows/win32/shell/autoplay-reg
>
>
>
> Mark
>
>
>
> *From:* zeek-bounces at zeek.org <zeek-bounces at zeek.org> * On Behalf Of *security
> devops
> *Sent:* Tuesday, June 16, 2020 4:28 AM
> *To:* zeek at zeek.org
> *Subject:* [EXT] [Zeek] Question on Zeek SMB Logs and action "SMB::FILE
> OPEN"
>
>
>
> Hi
>
> I'm running Security Onion with Zeek 3.0.7.
>
>
>
> I have a client accessing a NAS. Whenever a client accesses a folder
> containing executables, Zeek will detect a "bro_smb_files" event type for
> all the executable in the folder, even though the client did not open these
> executables.
>
>
>
> There would be an action of "SMB::FILE OPEN" for all these executables and
> it would be extracted to the "nsm/bro/extracted" folder.
>
>
>
> Is this the default behaviour as it seems odd that the files are
> extracted even though they did not cross the wire?
>
>
>
> I'm also a little confused over "SMB::FILE OPEN" action when I referenced
> Zeek documentation. Does it mean the file was "open" even though the client
> only accessed the mapped folder?
>
>
>
> The follow up question on this would be forensic integrity of the files.
> Would this weird SMB behavior affect the "access" date of the file (I am
> referring to MACB dates of file).
>
>
>
> thank you
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200617/28c0fe26/attachment.html
More information about the Zeek
mailing list