SMB Create Remote File¶
Metadata¶
collaborators |
[‘@Cyb3rWard0g’, ‘@Cyb3rPandaH’] |
creation date |
2020/10/12 |
modification date |
2020/10/12 |
playbook related |
[] |
Hypothesis¶
Adversaries might be creating a file remotely via the Server Message Block (SMB) Protocol.
Technical Context¶
Client systems use the Common Internet File System (CIFS) Protocol to request file and print services from server systems over a network. CIFS is a stateful protocol, in which clients establish a session with a server and use that session to make a variety of requests to access files, printers, and inter-process communication (IPC) mechanisms, such as named pipes. The extended CIFS Protocol is known as the Server Message Block (SMB). The SMB2 CREATE Request packet is sent by a client to request either creation of or access to a file. In case of a named pipe or printer, the server MUST create a new file.
Offensive Tradecraft¶
Adversaries leverage SMB to copy files over the network to either execute code remotely or exfiltrate data.
Mordor Test Data¶
metadata |
https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html |
link |
Analytics¶
Initialize Analytics Engine¶
from openhunt.mordorutils import *
spark = get_spark()
Download & Process Mordor Dataset¶
mordor_file = "https://raw.githubusercontent.com/OTRF/mordor/master/datasets/small/windows/lateral_movement/host/covenant_copy_smb_CreateRequest.zip"
registerMordorSQLTable(spark, mordor_file, "mordorTable")
[+] Processing a Spark DataFrame..
[+] DataFrame Returned !
[+] Temporary SparkSQL View: mordorTable
Analytic I¶
Look for non-system accounts SMB connecting (Tree Connect) to a file share that is not IPC$.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
File |
Microsoft-Windows-Security-Auditing |
User accessed file share |
5140 |
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ShareName, SubjectUserName, SubjectLogonId, AccessMask
FROM mordorTable
WHERE LOWER(Channel) = 'security'
AND (EventID = 5140)
AND NOT ShareName LIKE '%IPC$'
AND NOT SubjectUserName LIKE '%$'
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------+---------------+--------------+----------+
|@timestamp |Hostname |ShareName|SubjectUserName|SubjectLogonId|AccessMask|
+-----------------------+---------------------------+---------+---------------+--------------+----------+
|2020-09-22 14:53:32.341|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |0x1 |
+-----------------------+---------------------------+---------+---------------+--------------+----------+
Analytic II¶
Look for non-system accounts SMB connecting (Tree Connect) to an IPC\( Share and administrative shares (i.e C\)) with the same logon session ID.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
File |
Microsoft-Windows-Security-Auditing |
User accessed file share |
5140 |
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ShareName, SubjectUserName, b.SubjectLogonId, IpAddress, IpPort
FROM mordorTable b
INNER JOIN (
SELECT SubjectLogonId
FROM mordorTable
WHERE LOWER(Channel) = "security"
AND EventID = 5140
AND ShareName LIKE '%IPC$'
AND NOT SubjectUserName LIKE '%$'
) a
ON b.SubjectLogonId = a.SubjectLogonId
WHERE LOWER(b.Channel) = 'security'
AND b.EventID = 5140
AND b.ShareName LIKE '%C$'
AND NOT SubjectUserName LIKE '%$'
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+
|@timestamp |Hostname |ShareName|SubjectUserName|SubjectLogonId|IpAddress |IpPort|
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+
|2020-09-22 14:53:32.341|WORKSTATION6.theshire.local|\\*\IPC$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |
|2020-09-22 14:53:32.341|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+
Analytic III¶
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
File |
Microsoft-Windows-Security-Auditing |
User accessed File |
5145 |
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ShareName, SubjectUserName, SubjectLogonId, IpAddress, IpPort, RelativeTargetName
FROM mordorTable
WHERE LOWER(Channel) = "security"
AND EventID = 5145
AND ShareName LIKE '%C$'
AND NOT SubjectUserName LIKE '%$'
AND AccessMask = '0x2'
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|@timestamp |Hostname |ShareName|SubjectUserName|SubjectLogonId|IpAddress |IpPort|RelativeTargetName |
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|2020-09-22 14:53:32.342|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |ProgramData\GruntHTTP.exe|
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
Analytic IV¶
Look for non-system accounts SMB connecting (Tree Connect) to an IPC\( Share and administrative shares (i.e C\)) and accessing/creating a file with write (0x2) access mask with the same logon session ID.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
File |
Microsoft-Windows-Security-Auditing |
User accessed file share |
5140 |
File |
Microsoft-Windows-Security-Auditing |
User accessed File |
5145 |
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ShareName, SubjectUserName, d.SubjectLogonId, IpAddress, IpPort, RelativeTargetName
FROM mordorTable d
INNER JOIN (
SELECT b.SubjectLogonId
FROM mordorTable b
INNER JOIN (
SELECT SubjectLogonId
FROM mordorTable
WHERE LOWER(Channel) = "security"
AND EventID = 5140
AND ShareName LIKE '%IPC$'
AND NOT SubjectUserName LIKE '%$'
) a
ON b.SubjectLogonId = a.SubjectLogonId
WHERE LOWER(b.Channel) = 'security'
AND b.EventID = 5140
AND b.ShareName LIKE '%C$'
) c
ON d.SubjectLogonId = c.SubjectLogonId
WHERE LOWER(d.Channel) = 'security'
AND d.EventID = 5145
AND d.ShareName LIKE '%C$'
AND d.AccessMask = '0x2'
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|@timestamp |Hostname |ShareName|SubjectUserName|SubjectLogonId|IpAddress |IpPort|RelativeTargetName |
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|2020-09-22 14:53:32.342|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |ProgramData\GruntHTTP.exe|
|2020-09-22 14:53:32.342|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |ProgramData\GruntHTTP.exe|
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
Analytic V¶
Look for files that were accessed over the network with write (0x2) access mask via administrative shares (i.e C$) and that were created by the System process on the target system.
Data source |
Event Provider |
Relationship |
Event |
---|---|---|---|
File |
Microsoft-Windows-Security-Auditing |
User accessed File |
5145 |
File |
Microsoft-Windows-Sysmon/Operational |
Process created File |
11 |
df = spark.sql(
'''
SELECT `@timestamp`, Hostname, ShareName, SubjectUserName, SubjectLogonId, IpAddress, IpPort, RelativeTargetName
FROM mordorTable b
INNER JOIN (
SELECT LOWER(REVERSE(SPLIT(TargetFilename, '\'))[0]) as TargetFilename
FROM mordorTable
WHERE Channel = 'Microsoft-Windows-Sysmon/Operational'
AND Image = 'System'
AND EventID = 11
) a
ON LOWER(REVERSE(SPLIT(RelativeTargetName, '\'))[0]) = a.TargetFilename
WHERE LOWER(b.Channel) = 'security'
AND b.EventID = 5145
AND b.AccessMask = '0x2'
'''
)
df.show(10,False)
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|@timestamp |Hostname |ShareName|SubjectUserName|SubjectLogonId|IpAddress |IpPort|RelativeTargetName |
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
|2020-09-22 14:53:32.342|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |ProgramData\GruntHTTP.exe|
|2020-09-22 14:53:32.342|WORKSTATION6.theshire.local|\\*\C$ |pgustavo |0x4e13b2e |172.18.39.5|62782 |ProgramData\GruntHTTP.exe|
+-----------------------+---------------------------+---------+---------------+--------------+-----------+------+-------------------------+
Known Bypasses¶
Idea |
Playbook |
---|
False Positives¶
None
Hunter Notes¶
Baseline your environment to identify normal activity. Document all accounts creating files over the network via administrative shares.
Hunt Output¶
Type |
Link |
---|
References¶
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb/8341356c-ede3-4e1c-a056-3de91473bde6
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e8fb45c1-a03d-44ca-b7ae-47385cfd7997