ATTACK::Lateral_Movement_Extracted_File whitelists not working

mitre-attack / bzar

A set of Zeek scripts to detect ATT&CK techniques.

BSD 3-Clause "New" or "Revised" License

554 stars 73 forks source link

ATTACK::Lateral_Movement_Extracted_File whitelists not working #4

Closed glwallum closed 4 years ago

glwallum commented 4 years ago

Hello,

I am excluding addresses using the bzar_config_options.bro.

The attack_lm_extracted_file_whitelist_orig_addrs is not correctly excluding IP addresses, and we are still receiving alerts for ones which are in the set.

mfrndz commented 4 years ago

Thank you for bringing that to my attention. Good catch. The file 'bzar_files.bro' does not perform any checks against the whitelists. Oversight on my part. I can add those checks soon.

mfrndz commented 4 years ago

I added whitelist check to 'bzar_files.bro' to skip file extraction and/or to skip reporting that a file was extracted. This should remedy the issue.