SMB Version Segregation


#1

Greetings All!

We have run into a question when trying to find deleted files and the version of SMB the server is using. We can search for “delete” as the method on 2003. But on 2008 and 2012 it no longer comes across as this. Anyone have any thoughts on how to find Deleted files? Looking at the raw SMB methods, we see that “SMB2_SET_INFO” comes across as an add, deleted, or modify. Any direction on how to segregate them out would be helful!

UPDATE: Thinking about it, i there any SMB flow data to extract?


#2

Currently there is no definitive way to determine whether or not a file is being deleted in SMB2. This is because the SM2_SET_INFO operation is responsible for a number of logical operations within SMB2 (e.g. file deletions, file renaming, attribute changes, etc.). Yes, we really need a trigger fix hear in order to determine when logical delete operations are occurring. This is especially important for Ransomware detection.

You can determine if an SMB2 logical RENAME operation is occuring, as the CIFS.resource property will include two file names, separated by an arrow (e.g. file1.doc -> file2.doc)


#3

Thank you for the info, i tried renaming a file but it nver across with a name change below is what the debug spit out. I renamed “test 8” to “test 5”

Mon May 02 14:38:55
Appliance: | SMB2_GET_INFO | null
Mon May 02 14:38:55
Appliance: | SMB2_CREATE | null
Mon May 02 14:38:55
Appliance: | SMB2_CLOSE | null
Mon May 02 14:38:55
Appliance: | SMB2_FIND | null
Mon May 02 14:38:55
Appliance: | SMB2_NOTIFY | null
Mon May 02 14:38:55
Appliance: | SMB2_GET_INFO | test 8
Mon May 02 14:38:55
Appliance: | SMB2_SET_INFO | test 8
Mon May 02 14:38:55
Appliance: | SMB2_CANCEL | null


#4

Hi, Jeremy.

If you’re in a position to share a pcap from transaction like the one you’re testing here, it’d be helpful to have ExtraHop support take a look. From what you’ve described of (testing the rename) I’d expect you to see the SET_INFO method show a CIFS.resource with a couple of file names along the lines of what tomr describes.


#5

I will look into trying to get that to them.