97 lines
2.6 KiB
Plaintext
Executable File
97 lines
2.6 KiB
Plaintext
Executable File
#
|
|
# File: bzar_files.zeek
|
|
# Created: 20180701
|
|
# Updated: 20200228
|
|
#
|
|
# Copyright 2018 The MITRE Corporation. All Rights Reserved.
|
|
# Approved for public release. Distribution unlimited. Case number 18-3868.
|
|
#
|
|
|
|
module BZAR;
|
|
|
|
function file_extract_whitelist_test ( c : connection ) : bool
|
|
{
|
|
# Get whitelist from config options
|
|
local w1 : BZAR::EndpointWhitelist;
|
|
|
|
w1$orig_addrs = attack_lm_extracted_file_whitelist_orig_addrs;
|
|
w1$resp_addrs = attack_lm_extracted_file_whitelist_resp_addrs;
|
|
|
|
w1$orig_subnets = attack_lm_extracted_file_whitelist_orig_subnets;
|
|
w1$resp_subnets = attack_lm_extracted_file_whitelist_resp_subnets;
|
|
|
|
w1$orig_names = attack_lm_extracted_file_whitelist_orig_names;
|
|
w1$resp_names = attack_lm_extracted_file_whitelist_resp_names;
|
|
|
|
# Check whitelist
|
|
return BZAR::whitelist_test(c$id$orig_h, c$id$resp_h, w1);
|
|
}
|
|
|
|
|
|
event file_over_new_connection(f:fa_file, c:connection, is_orig:bool)
|
|
{
|
|
# Check Option
|
|
if ( !attack_lm_file_extract_option ) { return; }
|
|
|
|
# Check if SMB Tree Path is an Admin File Share
|
|
if ( f?$source && f$source == "SMB" && c?$smb_state &&
|
|
BZAR::smb_admin_file_share_test(c$smb_state)
|
|
)
|
|
{
|
|
# Check if SMB Write to an Admin File Share
|
|
if ( c$smb_state?$current_file &&
|
|
c$smb_state$current_file?$action &&
|
|
c$smb_state$current_file$action == SMB::FILE_WRITE )
|
|
{
|
|
# Check whitelist
|
|
if ( !BZAR::file_extract_whitelist_test(c) )
|
|
{
|
|
local smb_name = BZAR::smb_full_path_and_file_name(c$smb_state);
|
|
local fname = fmt("%s_%s%s", c$uid, f$id, subst_string(smb_name, "\\", "_"));
|
|
|
|
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, Files::AnalyzerArgs($extract_filename=fname));
|
|
Files::add_analyzer(f, Files::ANALYZER_MD5);
|
|
Files::add_analyzer(f, Files::ANALYZER_SHA1);
|
|
Files::add_analyzer(f, Files::ANALYZER_SHA256);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
event file_state_remove(f:fa_file)
|
|
{
|
|
# Check Options
|
|
if ( !attack_lm_file_extract_option ) { return; }
|
|
else if ( !attack_lm_extracted_file_report_option ) { return; }
|
|
|
|
local fname = "";
|
|
|
|
if ( f?$source && f$source == "SMB" && f?$conns && f$info?$extracted )
|
|
{
|
|
fname = f$info$extracted;
|
|
|
|
for ( x in f$conns )
|
|
{
|
|
local c = f$conns[x];
|
|
|
|
# Check if SMB Tree Path is an Admin File Share
|
|
if ( c?$smb_state && BZAR::smb_admin_file_share_test(c$smb_state) )
|
|
{
|
|
# Check whitelist
|
|
if ( !BZAR::file_extract_whitelist_test(c) )
|
|
{
|
|
# Raise Notice
|
|
NOTICE([$note=ATTACK::Lateral_Movement_Extracted_File,
|
|
$msg="Saved a copy of the file written to SMB admin file share",
|
|
$sub=fname,
|
|
$f=f,
|
|
$conn=c]
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
#end bzar_files.zeek |