This module detects RPC execution, SMB uploads of executable files, and Responder.py default activity such as LLMNR or NBD exploitation. Capture attacker IP and L2 MAC address. Note that executables are only detected being pushed to a system, not pulled.
This module is intended to detect lateral movement events in corporate environments and credential theft on a local network such as a conference or hotel.
This module supports reporting events to a central server. It also can be used locally only and will create a new Zeek log named dhsmb.log.
If you are installing from Github, copy config.zeek.orig to config.zeek. To use in local mode, leave this config file unchanged.
Logs alerts locally.
Zeek 3.0 or higher.
zkg zeek package manager.
curl is required for ActiveHTTP requests.
From a bundle:
sudo zkg unbundle dovehawk_smb.bundle
From GitHub:
sudo zkg install https://github.com/tylabs/dovehawk_smb
Tyler McLellan @tylabs