BRO/ZEEK — The Modern Watchtower

Fennec Fox
BZAR scripts
Zeek Notices
  1. The PSEXEC has attempted to write using SMB Tree Connect on ADMIN$ (ADMIN$ is nothing but a symbolic link to the path C:\Windows)
  2. Saves the copy of the executable file on the target machine.
  3. RPC is invoked for the process creation — svcctl:CreateServiceWOW64W
  4. Another RPC is invoked for process initiation — svcctl::StartServiceW

Now, let us look the Alert background -

  • smb_mapping.log
  • smb_files.log
  • dce_rpc.log
  1. smb_mapping logs are generated after the parsing SMB Tree connect information from captured SMB traffic.
smb_mapping.log
smb_files.log
dce_rpc.log

--

--

--

Incident Handler, Security Operations

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reactions to the Cybersecurity Executive Order

Access Control with Encrypted NFT Documents — #BuildItOnXDC

{UPDATE} The Game Gal's Word Generator Hack Free Resources Generator

{UPDATE} Animales reales de la selva del tiro al arco Hack Free Resources Generator

Privacy and Data Protection

Announcing the winners of the Anystake DFT Bounty Program

ICON: BinanceKR joins MyID Alliance, Delegation Program and the CPF Paper, Live AMA with Ricky…

Announcing the Next Cross-Chain Token Bridge Listing — bloXmove + FRM Buyback

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhijith Rao

Abhijith Rao

Incident Handler, Security Operations

More from Medium

Continuous attacks on the healthcare infrastructure have once more demonstrated the need for…

Understanding the Data Protection Act 2021.

5 Tips to Prevent Cyber Attacks & Protect Your Business

The importance of information security in the age of information