Name:Detect Outbound SMB Traffic id:1bed7774-304a-4e8f-9d72-d80e45ff492b version:6 date:2024-10-16 author:Bhavin Patel, Stuart Hopkins, Patrick Bareiss status:experimental type:TTP Description:The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise. Data_source:
search:| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` | iplocation dest_ip | `detect_outbound_smb_traffic_filter`
how_to_implement:This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model known_false_positives:It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as `internal` in the lookup file to avoid creating notable events for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary. References: drilldown_searches:
: tags: analytic_story: - 'Hidden Cobra Malware' - 'DHS Report TA18-074A' - 'NOBELIUM Group' asset_type:Endpoint confidence:50 impact:50 message:An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$ mitre_attack_id: - 'T1071.002' - 'T1071' observable: name:'src_ip' type:'IP Address' - role: - 'Victim' name:'dest_ip' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'All_Traffic.action' - 'All_Traffic.app' - 'All_Traffic.dest_ip' - 'All_Traffic.dest_port' - 'sourcetype' - 'All_Traffic.src_ip' - 'All_Traffic.direction' risk_score:25 security_domain:network