{ "_index": "logstash-alert-2022.09.13", "_type": "_doc", "_id": "C0SHNoMBfTCdXV7aPN-8", "_version": 1, "_score": null, "_source": { "see_name": "stamus-central-server", "stream": 1, "payload_printable": "...J.SMB.......H....{:.r./....4...E.............................H................&.SMB+......H.........c....4..........a.....SMB.......H..J.~...*.....4.............<...............<...H...x....=....~.....`.~.......S............................................P.SMB.......H..v...-%......4...P..........B.......B......L....................@.....G.SMB.......H..5...........4...E...........................................P.SMB.......H......r|}.....4.....................H....................... .I........&.SMB+......H.....J........4..........a...J.SMB.......H.....69.......4.................................H...........E....&.SMB+......H.........\\....4..........a.....SMB.......H.....'.$......4.............<...............<...H...x....=..H.I..... .I..... .).........................(...(...(..........P.SMB.......H....3\n.[F.....4...S..........B.......B......L....................@.....G.SMB.......H...)..+.......4...E...........................................P.SMB.......H..)..=.../....4.....................H....................... PF........&.SMB+......H...Z....<.....4..........a...J.SMB.......H.....8i.}*....4.................................H...........E....&.SMB+......H.....@..W@....4..........a...P.SMB.......H...g.1........4.................................H........... .)........&.SMB+......H..F.\\U..F.....4..........a...i.SMB.......H.....n........4...E.........!...............!...H........\"..*.(.................................&.SMB+......H..............4..........a...C.SMBu......H... <...8 ....4.................\\\\192.168.1.5\\C$.?????......SMB.......H..$..t.fs.....4...........M.................................@........N.\\WINDOWS\\44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe....<.SMB/......H..z.....\".....4...f.......@................<....MZ......................@...............................................!..L.!This program cannot be run in DOS mode.\r\r\n$.........y.....................................Rich............PE..L......[.................0...................@....@..........................0..............................................$8..<....P......................................................................(...D....................................text...4-.......0.................. ..`.data........@.......@..............@....rsrc........P.......P..............@..@qv2P ...X..L-.....:@7...........KERNEL32.DLL.NTDLL.DLL.MSVBVM60.DLL.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................", "alert": { "action": "allowed", "signature": "SNFILE Executable over SMB", "rev": 2, "signature_id": 1000005, "category": "", "gid": 1, "severity": 3 }, "payload": "AAAASv9TTUKhAAAAABgFSAAAHwZ7OpBytS8AAAMINAUACEUSEgAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAEgAAAAAAAAAAAMAAAABAAAAJv9TTUIrAAAAABgFSAAAuecRrq8EmmMAAAMINAUACAAAAQEAAQBhAAAAhP9TTUKhAAAAABgFSAAASgV+ovD3KucAAAMINAUACAEREgAAAAAAAAA8AAAAAAAAAAAAAAAAAAAAPAAAAEgAAAB4AAAAAD0AAIjgfgGg+P//YOJ+AaD4///gHVMBoPj//wAAAAAAAAAACAAAAAgAAAAIAAAAAAEAAAABAAAAAQAAAAAFAAAAAFD/U01CoAAAAAAYBUgAAHaBB/YtJY3oAAADCDQFAAhQEhMAAAAAEAAA4EIAAAAQAADgQgAABAAAAEwAAAAAAAAAAAAAAAAFAAcAAAAAAkAAAAAAAEf/U01CoQAAAAAYBUgAADXZntSHycwaAAADCDQFAAhFEhIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFD/U01CoQAAAAAYBUgAAKcRp4NyfH3hAAADCDQFAAgBERIAAAAIAAAAAAAAAAgAAABIAAAAgAAAAAAAAAAAAAAAAAAAAAAJAAAgEEkIoPj//wAAACb/U01CKwAAAAAYBUgAAKiltUq02/nYAAADCDQFAAgAAAEBAAEAYQAAAEr/U01CoQAAAAAYBUgAAI2vlTY5paWNAAADCDQFAAgBERIAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAABIAAAAwAAAAAADAABFEgAAACb/U01CKwAAAAAYBUgAAAwY7qeG+tlcAAADCDQFAAgAAAEBAAEAYQAAAIT/U01CoQAAAAAYBUgAALyGoSexJI+0AAADCDQFAAgBERIAAAAAAAAAPAAAAAAAAAAAAAAAAAAAADwAAABIAAAAeAAAAAA9AABIEEkIoPj//yASSQig+P//IOMpAaD4//8AAAAAAAAAAAgAAAAIAAAACAAAACgAAAAoAAAAKAAAAAAABQAAAABQ/1NNQqAAAAAAGAVIAACp7zMKp1tGFAAAAwg0BQAIUxITAAAAABAAAOBCAAAAEAAA4EIAAAQAAABMAAAAAAAAAAAAAAAABQAHAAAAAAJAAAAAAABH/1NNQqEAAAAAGAVIAACSKQvIK/Tr5wAAAwg0BQAIRRISAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQ/1NNQqEAAAAAGAVIAAApnKw9Bg/PLwAAAwg0BQAIARESAAAACAAAAAAAAAAIAAAASAAAAIAAAAAAAAAAAAAAAAAAAAAACQAAIFBGCKD4//8AAAAm/1NNQisAAAAAGAVIAADeWpTMDOI8mgAAAwg0BQAIAAABAQABAGEAAABK/1NNQqEAAAAAGAVIAACysrk4aax9KgAAAwg0BQAIARESAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAASAAAAMAAAAAAAwAARRIAAAAm/1NNQisAAAAAGAVIAADlxolAruZXQAAAAwg0BQAIAAABAQABAGEAAABQ/1NNQqEAAAAAGAVIAAD+ZwwxuaGppQAAAwg0BQAIARESAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAASAAAAIAAAAAACQAAIOMpAaD4//8AAAAm/1NNQisAAAAAGAVIAABGiVxVH81GxgAAAwg0BQAIAAABAQABAGEAAABp/1NNQqEAAAAAGAVIAADoy7Bu0JQDggAAAwg0BQAIRRISAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAhAAAASAAAAAAAAAAAIgAAKgIoAAEAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAABAAAAJv9TTUIrAAAAABgFSAAA7PSkg98MmNkAAAMINAUACAAAAQEAAQBhAAAAQ/9TTUJ1AAAAABgFSAAAtSA8Bo+dOCAAAP//NAUACAAABP8AAAAAAAEAGAAAXFwxOTIuMTY4LjEuNVxDJAA/Pz8/PwAAAACh/1NNQqIAAAAAGAVIAAAkjoB062ZzHAAABAg0BQAIAAAY/wAAAABNABYAAAAAAAAAAAAAEAAAAAAAAAAAgAAAAAMAAAAFAAAAQAAAAAIAAAAATgBcV0lORE9XU1w0NDc4M204dWg3N2c4bDhfbmt1YnlodTV2Znh4Ymg4Nzh4bzZobHR0a3BwemYyOHRzZHU1a3dwcGtfMTFjMWpsLmV4ZQAAABA8/1NNQi8AAAAAGAVIAAB6k5GvmMwi2wAABAg0BQAIZhIM/wAAAANAAAAAAP8AAAAEAAAQAAAAEDwAARAATVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADHv3nag94XiYPeF4mD3heJAMIZiYLeF4nM/B6Jh94XibX4GomC3heJUmljaIPeF4kAAAAAAAAAAFBFAABMAQMA/dWkWwAAAAAAAAAA4AAPAQsBBgAAMAQAAPADAAAAAADgEgAAABAAAABABAAAAEAAABAAAAAQAAAEAAAAAQAAAAQAAAAAAAAAADAIAAAQAAC2rwQAAgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAJDgEADwAAAAAUAQAuNQDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAgAARAAAAAAQAAD8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA0LQQAABAAAAAwBAAAEAAAAAAAAAAAAAAAAAAAIAAAYC5kYXRhAAAAAAwAAABABAAAEAAAAEAEAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAALjUAwAAUAQAAOADAABQBAAAAAAAAAAAAAAAAABAAABAcXYyUCAAAQBYuudMLQAAAOzPOkA3AAAAAAAAAAAAAABLRVJORUwzMi5ETEwATlRETEwuRExMAE1TVkJWTTYwLkRMTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "sig": { "updated": "2022-07-30", "created": "2022-07-30", "source": "SN-FileExtraction-v1" }, "metadata": { "flowbits": [ "ET.smb.binary" ] }, "src_port": 59440, "type": "json-log", "packet": "pB9ywglqAAgCHEeuCABFAAXcE9JAAIAGXRzAqAHYwKgBBegwAb35jC+6Ye+N0VAQAP7tmwAAAAAQPP9TTUIvAAAAABgFSAAAwD0oKkI+ILQAAAQINAUACGYSDP8AAAADQAAQAAD/AAAABAAAEAAAABA8AAEQACIS131WGNd9C1LXfUdD130oTdd9QDztfQ0X132QNNd9hT3XfQAAAAAGiA9mef4OZmTBDGZM6g9mX18OZqJyEGaovQxmOvcOZjuaDWbB/Q5mWsIMZuycDWbu9g5mv7YNZvPFDWaG9w5mgJoNZob4DmZuiQ9malcPZpSaDGbRuA1mGaAAZnb+DmanmgxmE4oPZqWZDGakPA5mCfsOZjr4DmZTdRBmVoQOZhu7DWZa0w1mq4gPZq+cDWYdPBBmuvcOZrr4DmYOYQ5m7vcOZinyDmZ8NQBmmrsNZjZuEGZAhw9mbeMOZsSKD2a9uw1mkdEOZieaDWawYA5mAAAAAAAAAAAEAAQAAAAAAAAAAAAlH0QABgAEAAAAAACfMEQAiTBEAAUACACOMUQAAAAAAJUxRAAFAAgAfTJEAAAAAACEMkQABQAIAM0zRAAAAAAA1DNEAAAAAEAAAAAABQAIALs3RAAAAAAAwzdEAAAAAAAAAAAA/yV0EEAA/yWUEEAA/yWgEEAA/yVkEEAA/yVYEEAA/yW8EEAA/yVEEEAA/yXMEEAA/yVsEEAA/yXIEEAA/yXAEEAA/yWcEEAA/yWEEEAA/yWYEEAA/yVMEEAA/yUsEEAA/yXcEEAA/yUoEEAA/yXsEEAA/yWwEEAA/yVwEEAA/yWMEEAA/yXkEEAA/yXgEEAA/yWAEEAA/yUEEEAA/yUUEEAA/yXoEEAA/yV8EEAA/yXUEEAA/yWsEEAA/yVQEEAA/yUYEEAA/yUMEEAA/yUAEEAA/yUcEEAA/yX0EEAA/yVcEEAA/yWoEEAA/yU0EEAA/yWkEEAA/yW4EEAA/yUwEEAA/yU4EEAA/yXEEEAA/yVAEEAA/yUgEEAA/yUIEEAA/yUQEEAA/yVIEEAA/yXwEEAA/yVUEEAA/yVoEEAA/yW0EEAA/yU8EEAA/yXYEEAA/yVgEEAA/yWQEEAA/yV4EEAA/yWIEEAA/yXQEEAAAABoQApEAOju////AAAAAAAAMAAAAEAAAAAAAAAAIExish9ImEaWQWd6fz2P4AAAAAAAAAEAAAAAAAAAAABQcmVzYnl0ZXJpYW4AAAAAAAAAAP/MMQAJO3UZAqZok0CHeOCftA4tqOTN4D1I2jtDsx6eT0qYz6A6T60zmWbPEbcMAKoAYNOTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbfUDAH0iAAAACgBmcm1PcHRpb25zAA0BBwBPcHRpb25zABkBAEIAIgMjLiIAAGx0AAAmIgAAAAABAAkAICAQAAEABADoAgAAlgAAABgYEAABAAQA6AEAAH4DAAAUFBAAAQAEAKgBAABmBQAAEBAQAAEABAAoAQAADgcAACAgAAABAAgAqAgAADYIAAAYGAAAAQAIAMgGAADeEAAAEBAAAAEACABoBQAAphcAABAQAAABACAAaAQAAA4dAAAQEAIAAQABALAAAAB2IQAAKAAAACAAAABAAAAAAQAEAAAAAACAAgAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACAAICAAACAgIAAwMDAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8AAP///wAAB4iIiIiIiIiIiIiIiIcAAAj////////////////4AAAI+I+HcAd4j4iIiIiI+AAACPj4cHeHcHj4////+PgAAAj/d3j/j/hwj4////j4AAAI+Hf4/4+I9wj////4+AAACId4+P////93iIiI//gAAAiHiIeP//+IhHiIiP/4AAAIh4j4eP////d/////+AAACIePj4eP///3eIiI//gAAAiHiIj4eIiHh3+IiP/4AAAIh4+I+H8=", "files": [ { "stored": true, "size": 4096, "gaps": false, "sid": [ 1000005 ], "state": "UNKNOWN", "magic": "PE32 executable (GUI) Intel 80386, for MS Windows", "file_id": 0, "tx_id": 71, "filename": "\\WINDOWS\\44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe" } ], "agent": { "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.16.1", "name": "SSProbe-1", "hostname": "SSProbe-1", "ephemeral_id": "50e455b7-c932-4cf1-a630-0675035aba08", "type": "filebeat" }, "event_type": "alert", "src_ip": "192.168.1.216", "in_iface": "tppdummy0", "proto": "TCP", "tags": [ "beats_input_codec_json_applied" ], "host": "SSProbe-1", "input": { "type": "log" }, "timestamp": "2022-09-13T13:06:20.139101+0200", "flow_id": 1124567179719524, "app_proto": "smb", "@timestamp": "2022-09-13T11:06:20.139Z", "ecs": { "version": "1.12.0" }, "ether": { "src_mac": "00:08:02:1c:47:ae", "dest_mac": "a4:1f:72:c2:09:6a" }, "smb": { "id": 72, "dialect": "NT LM 0.12", "session_id": 0, "command": "SMB1_COMMAND_WRITE_ANDX", "share": "\\192.168.1.5\\C$", "fuid": "4003", "tree_id": 0, "filename": "\\WINDOWS\\44783m8uh77g8l8_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl.exe" }, "packet_info": { "linktype": 1 }, "see_id": "2e2cf4a77cbd", "alerted": true, "dest_ip": "192.168.1.5", "@version": "1", "flow": { "bytes_toclient": 26057, "pkts_toserver": 143, "pkts_toclient": 128, "src_port": 59440, "bytes_toserver": 40336, "start": "2022-09-13T13:06:19.786121+0200", "dest_ip": "192.168.1.5", "dest_port": 445, "src_ip": "192.168.1.216" }, "log": { "offset": 2105944469, "file": { "path": "/var/log/suricata/eve-alert.json" } }, "dest_port": 445, "tx_id": 71, "net_info": { "src_agg": "bad_actor.nerzw.bad.bad-users", "dest_agg": "user.nwzrd.org.affected-users", "src": [ "BAD_ACTOR.nerzw.bad", "BAD USERS" ], "dest": [ "USER.nwzrd.org", "AFFECTED USERS" ] } }, "fields": { "flow.start": [ "2022-09-13T11:06:19.786Z" ], "@timestamp": [ "2022-09-13T11:06:20.139Z" ], "sig.created": [ "2022-07-30T00:00:00.000Z" ], "EveBox": [ 1124567179719524 ], "Scirius": [ 1000005 ], "sig.updated": [ "2022-07-30T00:00:00.000Z" ], "timestamp": [ "2022-09-13T11:06:20.139Z" ] }, "highlight": { "app_proto.keyword": [ "@kibana-highlighted-field@smb@/kibana-highlighted-field@" ], "alert.signature.keyword": [ "@kibana-highlighted-field@SNFILE Executable over SMB@/kibana-highlighted-field@" ] }, "sort": [ 1663067180139 ] }