{
  "flow_id": 1704853757037377,
  "payload_printable": "...E.SMBr.....S......................\"..NT LM 0.12..SMB 2.002..SMB 2.???......SMB@...........................................................$...........).K.F?...9.....ep.....................&....... .....V..2H...j...4fs...E+R]..=.F-d......................SMB@.........!.............................................................X.J.........`H..+......>0<..0..\n+.....7..\n.*.(NTLMSSP.........................\n.cE.........SMB@.........!.........................=...................................X.u............q0..m..\n.....P...LNTLMSSP.........................X.......t...\n.\n.........<.......\n.cE....Y.=.o........Ni.w.a.y.w.a.t.e.r.s.c.h.o.o.l.J.o.h.n...T.h.o.m.s.o.n.S.1.C.A.2................................L E..iD.R...........iU...].k...su........w.a.y.w.a.t.e.r.s.c.h.o.o.l.....W.1.0.P.N.S.W.A.G.7.6...(.w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l...@.W.1.0.P.N.S.W.A.G.7.6...w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l...(.w.a.y.w.a.t.e.r.s.c.h.o.o.l...l.o.c.a.l........iU.............0.0............0..&E...O..k...c.:T....A...\"..P...G\n..................... .c.i.f.s./.1.0...5...2.7...1.8.7.........;....zy.k../..M.........0...|\n.........h.SMB@...................................=.......j!......p.lb>.x-....H. .\\.\\.1.0...5...2.7...1.8.7.\\.c.$....x.SMB@...................................=.......GQ.........y..a.9.......................x...........x........................SMB@...........0.......................=.......................9......................................... .x.$.....0...w.i.n.d.o.w.s.\\.t.e.m.p.\\.k...e.x.e.....................MxAc....................QFid.......t.SMB@...........0.......................=.......................9........................... ...........D...x.$.........w.i.n.d.o.w.s.\\.t.e.m.p.\\.k...e.x.e.....8........... ...DH2Q....................2.K.F?...9.....e ...............AlSi.....(......................MxAc....................QFid................4...RqLs......}....Z.........................wI..,.......XD..........SMB@...........0...p...................=.......................)...X............................................SMB@...........4.......................=.......................)...P.......................................h.SMB@...........0.......\n...............=.......................!.......`........................(.........p.SMB@...........0.......................=.......................1.p.............................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode.\r\r\n$.......)..xm..+m..+m..+y..*f..+y..*k..+y..*...+...*J..+...*}..+...*d..+y..*`..+m..+...+m..+1..+...*l..+Richm..+........PE..d....OHc..........\"....!.l..........$..........@.............................p............`.....................................................P...............d8...........`.......L..T....................M..(...PK..@...............p............................text...`j.......l.................. ..`.rdata...b.......d...p..............@..@.data...............................@....pdata..d8.......:..................@..@_RDATA..\\....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................H...x...A.......................H.......A.......................H.Q.H..t.H..A...................UVH..8H.l$0H.E........H...s.H..8^].H.....t5...uNH.N.H.M..3...H.F.H..t.H.M.H... ...H..A.....H....H.V.H..t.H.N.A.....H..8^].....H...H..H..8^].P...H.T$.UVH..(H.j0H.M.......H..(^].................H.A.H..t.H... ...H..A.....H.....................VH.. H..H.Q.H..t.H..A......q...H...H..H.. ^.....UAWAVAUATVWSH......H..$....H..P.......H......H.\nL.j.H.r.I.@.H.E.A....)E.A...A..I..)M@.)E0E...r...I...sOL..L.v.H..vH.......L..M9.......I.@.H.C.A......I...........O..)......)......m...L..H...H......H......H.......L......L......H.......x.........Y...H........H..H......H.E.A...r...L..H..",
  "@version": "1",
  "agent": {
    "ephemeral_id": "ee4ee20f-3b3b-4d0d-9b5c-0ddc1ef01420",
    "type": "filebeat",
    "id": "9f305fa4-6db1-485c-81f9-598dce1469e3",
    "version": "7.17.8",
    "name": "Probe-dfir2",
    "hostname": "Probe-dfir2"
  },
  "type": "json-log",
  "dest_ip": "10.1.1.22",
  "event_type": "alert",
  "capture_file": "/var/log/suricata/pcaps//log-1698068894-2.pcap",
  "log": {
    "offset": 3047508,
    "file": {
      "path": "/var/log/suricata/eve-discovery-0.json"
    }
  },
  "tx_id": 8,
  "metadata": {
    "flowbits": [
      "stamus.smb.files.interest",
      "stamus.sightings",
      "ET.smb.binary"
    ]
  },
  "timestamp": "2023-10-25T15:02:06.714037+0200",
  "packet": "ABf7AAA6ABf7AABlCABFAAXcPs5AAIAGatEKBRu4CgUbu8X8Ab2NDBBf5q/JNlAQIBEaKAAAQQxIiUQkKItpEESLeRSLQRhIiUQkEItRHEiJVCQgRItJIESLcSSLcShEi2EsRItBMItRNItZOEiJTCQwRItRPL8KAAAADx8ASIl8JGhDjQwowcEHMelCjSwpSIlMJEDBxQlEMc1IiWwkWAHpwcENRDHBSIlMJGAB6cHBEkQx6UiLRCQYRo0EOEHBwAdFMfBDjSw4wcUJMdVIiWwkUEWNLChBwcUNQTHFRY10LQBBwcYSRTH+SItEJBCNLDDBxQcx3UiJbCRIjRQuwcIJM1QkCESNPCpBwccNQTHHQY0cF8HDEjHzQ40sFMHFBzNsJChFjQwqQcHBCUQzTCQgQY00KcHGDUQx5kaNHA5BwcMSRTHTjQQpwcAHRDHojTwIwccJMddIiUQkGI0UB8HCDTHqSIlUJChIiXwkCESNLDpBwcUSQTHNSIt8JGhIi0wkQEGNFA7BwgdEMfpCjQQywcAJRDHISIlUJBCNLBDBxQ0xzUiJRCQgRI08KEHBxxJFMfdGjSQDQcHEB0Ex9EWNDBxBwcEJRDNMJFhHjTQhQcHGDUUxxkONNA7BxhIx3kiLRCRIRY0EA0HBwAdEM0QkYEONFBjBwgkzVCRQQo0cAsHDDTHDRI0UE0HBwhJFMdpIg8f/D4Vi/v//SItMJDDzRA9vCfNED29BEANRNANZOPMPb1EkRANRPGYPftdIwecgi0EgSAHHSIPHAUiJeSBmRA9uVCQoZg9uZCQIZg9ubCQYZkEPbvVmRA9uZCQgZg9uTCQQZkUPbvdmD27dQQHBZkUPbthmQQ9u/GZED27uZkEPbsZmQQ9i4mYPYvVmD2z0ZkQP/s5mQQ9izGZBD2LeZg9s2WZBD/7YSItEJDjzRA9/CPMPf1gQRIlIIGZBD2L7ZkEPYsVmD2zHZg/+wvMPf0AkiVA0iVg4RIlQPA8odCRwDyi8JIAAAABEDyiEJJAAAABEDyiMJKAAAABEDyiUJLAAAABEDyicJMAAAABEDyikJNAAAABEDyisJOAAAABEDyi0JPAAAABIgcQIAQAAW11fXkFcQV1BXkFfw8zMzMzMzMzMzMzMzMzMzEFXQVZBVUFUVldVU0iB7HgBAABEDymEJGABAABmD3+8JFABAABmD3+0JEABAABIi0IQSImEJPgAAABIhcAPhPAEAABIiwJIiYQk6AAAAEiLQghIiYQk4AAAAItBFEiJRCQIi1EYi0EcRItJIESLYSSLWSiLcSxIiTQkMfZFD1fASImMJPAAAAAPH4QAAAAAAEiJRCQYSIm0JAABAABEixlIichEi0EERItpCItpDESLURBEi3kwRItxNItJOIt4PLgKAAAASImEJAgBAABIidBIixQkTInmZg8fhAAAAAAASImcJBABAABIibwkGAEAAEiJbCQQQ40sH8HFB0Qx1UiJrCQoAQAATItUJAhBjTwrwccJRDHPSIm8JDgBAACNHC/Bww1EMftIiRwkRI0MO0HBwRJFMdlHjSQQQcHEB0Ex9EONHBTBwwlEMfNIiZwkMAEAAEKNLCPBxQ1EMcVEjTQrQcHGEkUx1kiLvCQQAQAAjRw4wcMHMctIiZwkIAEAAI0MO0iJ/sHBCUQx6Y08GcHHDTHHRI08D0HBxxJBMfdIi5wkGAEAAI0EGsHABzNEJBBIidaNFBhJidjBwgkzVCQYjRwCwcMNMfONNBPBxhJEMcZIiXQkEEaNBAhBwcAHQTHoR40sCEHBxQlBMc1DjSwowcUNMcVGjVwtAEHBwxJFMctIi7QkKAEAAEGNBDbBwAcx+EKNDDDBwQkx0USNFAFBwcINQTHySIlMJBhEAdHBwRJEMfFIiUwkCEONFCfBwgcx2kaNDDpBwcEJRDOMJDgBAABBjTQRwcYNRDHmQo0cDsHDEkQx+0iLvCQgAQAASItMJBBEjTw5QcHHB0QzPCRFjTQPSYnMQcHGCUQ=",
  "dest_port": 445,
  "logger": "logstash-manager",
  "alert": {
    "source": {
      "port": 445,
      "ip": "10.1.1.22"
    },
    "category": "Unknown Traffic",
    "metadata": {
      "created_at": [
        "2023_01_20"
      ],
      "updated_at": [
        "2023_01_20"
      ],
      "provider": [
        "Stamus"
      ],
      "stamus_classification": [
        "stamus_sightings"
      ],
      "sightings_asset": [
        "src_ip"
      ],
      "sightings_key": [
        "smb.filename"
      ]
    },
    "gid": 1,
    "rev": 1,
    "severity": 3,
    "signature_id": 3120015,
    "action": "allowed",
    "signature": "SN SIGHTINGS Newly discovered SMB file transfer - executable",
    "target": {
      "port": 50684,
      "net_info": [
        "USER.vyhar.org",
        "AFFECTED USERS"
      ],
      "net_info_agg": "user.vyhar.org.affected-users",
      "ip": "10.2.0.79"
    }
  },
  "proto": "TCP",
  "@timestamp": "2023-10-25T13:02:06.714Z",
  "flow": {
    "bytes_toserver": 21385,
    "start": "2023-10-25T15:02:06.528014+0200",
    "src_ip": "10.2.0.79",
    "dest_port": 445,
    "dest_ip": "10.1.1.22",
    "pkts_toclient": 12,
    "src_port": 50684,
    "bytes_toclient": 2964,
    "pkts_toserver": 29
  },
  "files": [
    {
      "sid": [
        1450019
      ],
      "filename": "windows\\temp\\bk.exe",
      "gaps": false,
      "file_id": 0,
      "stored": true,
      "size": 15944,
      "mimetype": "application/x-executable",
      "state": "UNKNOWN",
      "tx_id": 8
    }
  ],
  "in_iface": "tppdummy0",
  "src_port": 50684,
  "src_ip": "10.2.0.79",
  "net_info": {
    "src": [
      "USER.vyhar.org",
      "AFFECTED USERS"
    ],
    "src_agg": "user.vyhar.org.affected-users"
  },
  "alerted": true,
  "tags": [
    "beats_input_codec_json_applied"
  ],
  "smb": {
    "fuid": "00000007-0005-0000-0001-000000000005",
    "dialect": "3.11",
    "filename": "windows\\temp\\bk.exe",
    "id": 9,
    "command": "SMB2_COMMAND_WRITE",
    "session_id": 21990232555581,
    "tree_id": 1,
    "share": ""
  },
  "tenant": 2268,
  "host": "Probe-dfir2",
  "stream": 1,
  "ether": {
    "src_mac": "00:17:fb:00:00:65",
    "dest_mac": "00:17:fb:00:00:3a"
  },
  "app_proto": "smb",
  "packet_info": {
    "linktype": 1
  },
  "input": {
    "type": "log"
  },
  "discovery": {
    "asset_net": "user.vyhar.org.affected-users",
    "asset_role": [],
    "asset": "10.2.0.79",
    "key": "smb.filename",
    "value": "windows\\temp\\bk.exe"
  },
  "_id": "mFfxZosBuCgeJZg6dvMr"
}