{ "flow_id": 1704853757037377, "payload_printable": "...E.SMBr.....S......................\"..NT LM 0.12..SMB 2.002..SMB 2.???......SMB@...........................................................$...........).K.F?...9.....ep.....................&....... .....V..2H...j...4fs...E+R]..=.F-d......................SMB@.........!.............................................................X.J.........`H..+......>0<..0..\n+.....7..\n.*.(NTLMSSP.........................\n.cE.........SMB@.........!.........................=...................................X.u............q0..m..\n.....P...LNTLMSSP.........................X.......t...\n.\n.........<.......\n.cE....Y.=.o........Ni.w.a.y.w.a.t.e.r.s.c.h.o.o.l.J.o.h.s.t.y...T.h.o.m.a.s.e.S.1.C.A.2................................L E..iD.R...........iU...].k...su........w.a.y.w.a.t.e.r.s.c.h.o.o.l.....W.1.0.P.N.S.W.A.G.7.6...(.w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l...@.W.1.1.M.N.S.G.A.F.7.1...w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l...(.w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l........iU.............0.0............0..&E...O..k...c.:T....A...\"..P...G\n..................... .c.i.f.s./.1.0...5...2.7...1.8.7.........;....zy.k../..M.........0...|\n.........h.SMB@...................................=.......j!......p.lb>.x-....H. .\\.\\.1.0...5...2.7...1.8.7.\\.c.$....x.SMB@...................................=.......GQ.........y..a.9.......................x...........x........................SMB@...........0.......................=.......................9......................................... .x.$.....0...w.i.n.d.o.w.s.\\.t.e.m.p.\\.k...e.x.e.....................MxAc....................QFid....", "@version": "1", "agent": { "ephemeral_id": "ee4ee20f-3b3b-4d0d-9b5c-0ddc1ef01420", "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "version": "7.17.8", "name": "Probe-dfir2", "hostname": "Probe-dfir2" }, "type": "json-log", "dest_ip": "10.3.15.99", "event_type": "alert", "capture_file": "/var/log/suricata/pcaps//log-1698068894-2.pcap", "log": { "file": { "path": "/var/log/suricata/eve-discovery-0.json" }, "offset": 3043812 }, "tx_id": 6, "metadata": { "flowbits": [ "stamus.smb.files.interest", "stamus.sightings" ] }, "timestamp": "2023-10-25T15:02:06.611705+0200", "packet": "ABf7AAA6ABf7AABlCABFAAAoPrtAAIAGcJgKBRu4CgUbu8X8Ab2NC87i5q/GwFAQIBRzKwAA", "dest_port": 445, "logger": "logstash-manager", "alert": { "source": { "port": 445, "ip": "10.3.15.99" }, "category": "Unknown Traffic", "metadata": { "created_at": [ "2022_01_25" ], "updated_at": [ "2023_01_09" ], "provider": [ "Stamus" ], "stamus_classification": [ "stamus_sightings" ], "sightings_asset": [ "src_ip" ], "sightings_key": [ "smb.filename" ] }, "gid": 1, "rev": 2, "severity": 3, "signature_id": 3120013, "action": "allowed", "signature": "SN SIGHTINGS Newly discovered SMB Filename - exe", "target": { "port": 50684, "net_info": [ "USER.vyhar.org", "AFFECTED USERS" ], "net_info_agg": "user.vyhar.org.affected-users", "ip": "10.1.13.26" } }, "proto": "TCP", "@timestamp": "2023-10-25T13:02:06.611Z", "flow": { "bytes_toserver": 2188, "start": "2023-10-25T15:02:06.528014+0200", "src_ip": "10.1.13.26", "dest_port": 445, "dest_ip": "10.3.15.99", "pkts_toclient": 8, "src_port": 50684, "bytes_toclient": 2118, "pkts_toserver": 11 }, "in_iface": "tppdummy0", "src_port": 50684, "src_ip": "10.1.13.26", "net_info": { "src": [ "USER.vyhar.org", "AFFECTED USERS" ], "src_agg": "user.vyhar.org.affected-users" }, "alerted": true, "tags": [ "beats_input_codec_json_applied" ], "smb": { "disposition": "FILE_OPEN", "filename": "windows\\temp\\nk.exe", "size": 0, "command": "SMB2_COMMAND_CREATE", "access": "normal", "accessed": 0, "tree_id": 1, "created": 0, "dialect": "3.11", "id": 7, "changed": 0, "modified": 0, "status_code": "0xc0000034", "session_id": 21990232555581, "ext_status": { "customer": 0, "text": "STATUS_OBJECT_NAME_NOT_FOUND", "facility": "UNDEFINED", "severity": "ERROR", "short_code": "0x34" }, "status": "STATUS_OBJECT_NAME_NOT_FOUND", "fuid": "" }, "tenant": 2268, "host": "Probe-dfir2", "stream": 1, "ether": { "src_mac": "00:17:fb:00:00:65", "dest_mac": "00:17:fb:00:00:3a" }, "app_proto": "smb", "packet_info": { "linktype": 1 }, "input": { "type": "log" }, "discovery": { "asset_net": "user.vyhar.org.affected-users", "asset_role": [], "asset": "10.1.13.26", "key": "smb.filename", "value": "windows\\temp\\nk.exe" }, "_id": "pVfxZosBuCgeJZg6dvM1" }