Created
October 21, 2019 19:42
-
-
Save travisbgreen/e3b34e848efbe2fe0dc37183786ce9be to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= PATCHED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | |
| user ~ malware CAR 1 cat /dev/null > ./fast.log && sudo /opt/suricata-git.latest/src/suricata -c /etc/suricata/suricata.testsuri4.yaml -l . -S ~/rules/lateral-rules/lateral.rules -k none -r ./merged.pcap && cat ./fast.log && wc ./fast.log | |
| [29956] 21/10/2019 -- 12:36:03 - (suricata.c:1072) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (412ae11ba 2019-10-12) running in USER mode | |
| [29956] 21/10/2019 -- 12:36:04 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started. | |
| <snip> | |
| [29970] 21/10/2019 -- 12:36:04 - (source-pcap-file.c:378) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 8407 packets, 4807232 bytes | |
| 10/09/2017-09:10:39.132806 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.133715 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.134042 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-08:21:18.117472 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-08:21:18.123948 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.134301 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.138804 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.281682 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.281682 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610006:1] TGI LATERAL DCERPC ATSVC v1.0 Bind raw UUID 6cb71c2c-9812-4540-0300-000000000000 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610008:1] TGI LATERAL DCERPC ATSVC v1.0 JobAdd w/Opnum 0 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.281735 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.281735 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/20/2017-11:43:22.993257 [**] [1:2610067:1] TGI LATERAL SMB mimikatz.exe Filename in SMB [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.419392 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.419392 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/25/2017-12:18:39.146950 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.50:4444 -> 192.168.10.31:49215 | |
| 10/25/2017-12:18:37.861202 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.861202 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.861202 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.861202 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/09/2017-09:45:00.490189 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.490189 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.490231 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.490231 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/25/2017-12:18:37.863172 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.863172 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 12/06/2017-10:37:40.310012 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 12/06/2017-10:37:40.311029 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.938601 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.938601 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:48.979329 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49214 -> 192.168.10.10:49158 | |
| 10/09/2017-09:13:21.475690 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 56 1331 14696 ./fast.log | |
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= UNPATCHED -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | |
| cat /dev/null > ./fast.log && sudo /opt/suricata-git.debug/src/suricata -c /etc/suricata/suricata.testsuri4.yaml -l . -S ~/rules/lateral-rules/lateral.rules -k none -r ./merged.pcap && cat ./fast.log && wc ./fast.log | |
| [30428] 21/10/2019 -- 12:41:15 - (suricata.c:1076) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (494617bb3 2019-09-12) running in USER mode | |
| [30428] 21/10/2019 -- 12:41:15 - (tm-threads.c:2145) <Notice> (TmThreadWaitOnThreadInit) -- all 9 packet processing threads, 4 management threads initialized, engine started. | |
| [30428] 21/10/2019 -- 12:41:15 - (suricata.c:2881) <Notice> (SuricataMainLoop) -- Signal Received. Stopping engine. | |
| [30442] 21/10/2019 -- 12:41:15 - (source-pcap-file.c:378) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 8407 packets, 4807232 bytes | |
| 10/09/2017-09:13:19.601956 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-08:21:18.117472 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.123948 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.134301 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.138804 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.475690 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610006:1] TGI LATERAL DCERPC ATSVC v1.0 Bind raw UUID 6cb71c2c-9812-4540-0300-000000000000 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610008:1] TGI LATERAL DCERPC ATSVC v1.0 JobAdd w/Opnum 0 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.993257 [**] [1:2610067:1] TGI LATERAL SMB mimikatz.exe Filename in SMB [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/25/2017-12:18:48.979329 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49214 -> 192.168.10.10:49158 | |
| 10/25/2017-12:18:39.146950 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.50:4444 -> 192.168.10.31:49215 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.421925 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.421925 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/25/2017-12:18:37.938601 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.938601 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/09/2017-09:10:39.132806 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:10:39.133715 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.134042 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 12/06/2017-10:37:40.310012 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 12/06/2017-10:37:40.311029 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 10/25/2017-12:18:48.979672 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/25/2017-12:18:48.979672 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/25/2017-12:18:48.979672 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 10/25/2017-12:18:48.979672 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 42 974 10832 ./fast.log | |
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= UNPATCHED 4.1.5 w/rust -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | |
| user ~ malware CAR 1 cat /dev/null > ./fast.log && sudo /opt/suricata-4.1.5.rust/src/suricata -c /etc/suricata/suricata.testsuri4.yaml -l . -S ~/rules/lateral-rules/lateral.rules -k none -r ./merged.pcap && cat ./fast.log && wc ./fast.log | |
| 21/10/2019 -- 12:36:49 - <Notice> - This is Suricata version 4.1.5 RELEASE | |
| 21/10/2019 -- 12:36:49 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started. | |
| 21/10/2019 -- 12:36:49 - <Notice> - Signal Received. Stopping engine. | |
| 21/10/2019 -- 12:36:49 - <Notice> - Pcap-file module read 1 files, 8407 packets, 4807232 bytes | |
| 10/09/2017-08:21:18.117472 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.123948 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-08:21:18.134301 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610764 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-08:21:18.138804 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:10:39.132806 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.133715 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.134042 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.475870 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610006:1] TGI LATERAL DCERPC ATSVC v1.0 Bind raw UUID 6cb71c2c-9812-4540-0300-000000000000 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610008:1] TGI LATERAL DCERPC ATSVC v1.0 JobAdd w/Opnum 0 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.993257 [**] [1:2610067:1] TGI LATERAL SMB mimikatz.exe Filename in SMB [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.421925 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.421925 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.422449 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.422449 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/25/2017-12:18:48.979329 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49214 -> 192.168.10.10:49158 | |
| 10/25/2017-12:18:39.146950 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.50:4444 -> 192.168.10.31:49215 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.495069 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.886078 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.940986 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.940986 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/09/2017-09:45:25.638356 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 10/09/2017-09:45:25.638356 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 12/06/2017-10:37:40.310012 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 12/06/2017-10:37:40.311029 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/09/2017-09:45:27.730747 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 42 974 10832 ./fast.log | |
| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= UNPATCHED 4.1.5 w/o rust -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | |
| user ~ malware CAR 1 cat /dev/null > ./fast.log && sudo /opt/suricata-4.1.5.norust/src/suricata -c /etc/suricata/suricata.testsuri4.yaml -l . -S ~/rules/lateral-rules/lateral.rules -k none -r ./merged.pcap && cat ./fast.log && wc ./fast.log | |
| 21/10/2019 -- 12:36:54 - <Notice> - This is Suricata version 4.1.5 RELEASE | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.nfs' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.smb' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.tftp' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.ikev2' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.krb5' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Warning> - [ERRCODE: SC_WARN_RUST_NOT_AVAILABLE(316)] - output module 'eve-log.dhcp' depends on Rust support | |
| 21/10/2019 -- 12:36:54 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started. | |
| 21/10/2019 -- 12:36:54 - <Notice> - Signal Received. Stopping engine. | |
| 21/10/2019 -- 12:36:54 - <Notice> - Pcap-file module read 1 files, 8407 packets, 4807232 bytes | |
| 10/09/2017-08:21:18.117095 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.123340 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-08:21:18.133548 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.601956 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.602062 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610488 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-09:13:19.610488 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49241 -> 192.168.10.30:49155 | |
| 10/09/2017-08:21:18.141535 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49282 -> 192.168.10.10:445 | |
| 10/09/2017-09:10:39.132806 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.133715 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:10:39.134042 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49238 -> 192.168.10.30:445 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.478654 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49240 -> 192.168.10.30:135 | |
| 10/09/2017-09:13:21.475690 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:49155 -> 192.168.10.31:49241 | |
| 10/09/2017-09:45:00.419392 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.419392 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.419701 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610006:1] TGI LATERAL DCERPC ATSVC v1.0 Bind raw UUID 6cb71c2c-9812-4540-0300-000000000000 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610008:1] TGI LATERAL DCERPC ATSVC v1.0 JobAdd w/Opnum 0 (CAR-2015-04-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.992817 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/20/2017-11:43:22.993257 [**] [1:2610067:1] TGI LATERAL SMB mimikatz.exe Filename in SMB [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49266 -> 192.168.10.30:445 | |
| 10/09/2017-09:45:00.494619 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/09/2017-09:45:00.494619 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49285 -> 192.168.10.10:445 | |
| 10/25/2017-12:18:37.877055 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.877055 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/09/2017-09:45:00.497415 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.10:445 -> 192.168.10.31:49285 | |
| 10/25/2017-12:18:37.879054 [**] [1:2610044:1] TGI LATERAL DCERPC Service Control Manager Interface UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.879054 [**] [1:2610046:1] TGI LATERAL DCERPC Service Control Manager Interface UUID with risky opcode (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.884143 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.884143 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.50:46785 -> 192.168.10.31:445 | |
| 10/25/2017-12:18:37.940986 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:37.940986 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.31:445 -> 192.168.10.50:46785 | |
| 10/25/2017-12:18:48.979329 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49214 -> 192.168.10.10:49158 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/09/2017-09:45:00.499354 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.31:49283 -> 192.168.10.10:135 | |
| 10/25/2017-12:18:39.146950 [**] [1:2610075:1] TGI LATERAL HUNT Suspicious Named Pipe [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.10.50:4444 -> 192.168.10.31:49215 | |
| 10/25/2017-12:18:37.806183 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 10/25/2017-12:18:37.806183 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:135 -> 192.168.10.31:49240 | |
| 12/06/2017-10:37:40.310012 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 12/06/2017-10:37:40.311029 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.30:445 -> 192.168.10.31:1112 | |
| 10/25/2017-12:18:37.806183 [**] [1:2610020:1] TGI LATERAL DCERPC IRemUnknown2 raw UUID 8a885d04-1ceb-11c9-9fe8-08002b104860 (CAR-2014-12-001) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 10/25/2017-12:18:37.806183 [**] [1:2610028:1] TGI LATERAL DCERPC Service Control Manager Interface raw UUID (367abb81-9844-35f1-ad32-98f038001003) [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 192.168.10.10:135 -> 192.168.10.31:49283 | |
| 46 1076 11936 ./fast.log | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment