Zeek Alert Details
Alert ID: ZEEK-SMB-LATERAL-1021-7842 Alert Time: 2024-03-11 10:30:22 EST Severity: HIGH (85/100) Source: Zeek Network Security Monitor Rule: “SMB Admin Share Access – Potential Lateral Movement” MITRE ATT&CK: T1021.002 – Remote Services: SMB/Windows Admin Shares
Alert Details:
Detection: Access to ADMIN$ or C$ shares from non-admin workstation
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering)
Destination: 192.168.10.50 (FILESRV-01 – File Server)
Protocol: SMB (TCP/445)
Time: 10:15-10:30 EST
SMB Commands:
10:15:22 – SMB2 Create Request: \\192.168.10.50\ADMIN$ (admin share)
10:15:25 – SMB2 Create Response: SUCCESS
10:15:28 – SMB2 Write: writing \\192.168.10.50\ADMIN$\System32\psexesvc.exe
10:15:35 – SMB2 Create: \\192.168.10.50\C$\Windows\Temp\mimikatz.exe
10:15:42 – SMB2 Write: writing mimikatz.exe
10:16:05 – SMB2 Create: \\192.168.10.50\ADMIN$\System32\tasks\update.ps1
10:16:12 – SMB2 Write: writing update.ps1
10:16:30 – SMB2 Close
File Transfers:
psexesvc.exe (PsExec service) – 124 KB
mimikatz.exe – 1.2 MB
update.ps1 – 4 KB (PowerShell script)
Detection Logic:
Access to ADMIN$ share (requires admin privileges)
Source host is engineering workstation (not IT admin)
Transfer of hacking tools (mimikatz)
PowerShell script for persistence
Pattern matches lateral movement and tool deployment
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Zeek alert
Zeek Logs, Splunk
Confirmed SMB admin share access and tool transfer
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host compromised (Cobalt Strike)
3. Destination Investigation
Check FILESRV-01
CrowdStrike Falcon
Files transferred but not executed yet
4. Immediate Action
Isolate both hosts
CrowdStrike
Both hosts quarantined
5. File Removal
Delete transferred files
CrowdStrike Live Response
psexesvc.exe, mimikatz.exe, update.ps1 deleted
6. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-205 Summary: T1021.002 – SMB Admin Share Lateral Movement and Tool Transfer Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Stopped, Tools Removed Priority: P2 – MEDIUM Labels: T1021, smb, admin-shares, lateral-movement, zeek, compromised-host Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Zeek Network Security Monitor.
Alert: “SMB Admin Share Access – Potential Lateral Movement”.
Source: ENG-WS-045 (Engineering, compromised).
Destination: FILESRV-01 (File Server).
Activity: Access to ADMIN$, transfer of hacking tools.
Time: 2024-03-11 10:30 EST.
Technique: MITRE ATT&CK T1021.002 – Remote Services: SMB/Windows Admin Shares.
2. Technical Analysis:
Attack Chain:
09:30 – rpatel account compromised
09:45 – Attacker logs into ENG-WS-045
10:00 – Attacker enumerates network, finds FILESRV-01
10:15 – Connects to ADMIN$ share using stolen credentials
10:15-10:25 – Transfers psexesvc.exe, mimikatz.exe, update.ps1
10:25 – Files staged on FILESRV-01
10:30 – Zeek detects
Transferred Files:
psexesvc.exe: PsExec service (for remote execution)
mimikatz.exe: Credential dumping tool
update.ps1: PowerShell script to:
# Check if running as admin
# If yes, download and execute additional payload
# Add persistence via scheduled task
Attacker Intent:
Use FILESRV-01 as a staging point
Later execute tools remotely via PsExec
Dump credentials from file server
Destination Status:
Files transferred but not executed
No compromise of FILESRV-01 yet
3. Investigation Findings:
Timeline:
09:30 – Account compromised
09:45 – Attacker on ENG-WS-045
10:00 – Reconnaissance
10:15-10:25 – File transfer
10:30 – Alert
10:32 – SOC investigates
10:33 – Both hosts isolated
10:34 – Files deleted
Indicators of Compromise (IoCs):
Network:
– SMB access to \\FILESRV-01\ADMIN$
– File transfers (psexesvc.exe, mimikatz.exe, update.ps1)
Files (on FILESRV-01):
– \\FILESRV-01\ADMIN$\System32\psexesvc.exe (deleted)
– \\FILESRV-01\C$\Windows\Temp\mimikatz.exe (deleted)
– \\FILESRV-01\ADMIN$\System32\tasks\update.ps1 (deleted)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated both ENG-WS-045 and FILESRV-01.
Deleted all transferred files from FILESRV-01.
Disabled rpatel account.
Reset password.
Host Remediation:
Reimaged ENG-WS-045.
Full scan of FILESRV-01 (clean).
Verified no execution occurred.
Network Remediation:
Restricted SMB admin share access to specific admin hosts.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing SMB lateral movement.
Contributing Factors:
No MFA on account.
SMB admin shares accessible from any host.
No network segmentation.
6. Business Impact:
Operational Impact: Two hosts offline for 2 hours.
Data Exposure: Tools staged but not executed.
7. Remediation & Prevention:
Completed Actions:
Lateral movement stopped.
Tools removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Restricted SMB admin share access.
Implemented network segmentation.
Enhanced monitoring for SMB admin share access.
8. Conclusion:
An attacker used a compromised account to access the ADMIN$ share on a file server via SMB, transferring hacking tools for later execution. Zeek detected the anomalous SMB activity, enabling removal of the tools before execution.
Closure Rationale: Lateral movement stopped; tools removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 11:30 EST
End of Batch 33
Ready for your next batch of prompts whenever you are.
Batch 34: Lateral Movement & Command and Control Incident Reports
Here are the next 5 detailed SOC incident reports.