Detection: Detect Outbound SMB Traffic

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2025-05-02 ID: 1bed7774-304a-4e8f-9d72-d80e45ff492b Author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.

Search

1
2| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product 
3| `drop_dm_object_name("All_Traffic")`  
4| `security_content_ctime(start_time)`  
5| `security_content_ctime(end_time)`  
6| iplocation dest_ip 
7| `detect_outbound_smb_traffic_filter`

Data Source

Name	Platform	Sourcetype	Source
Zeek Conn	N/A	`'bro:conn:json'`	`'bro:conn:json'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
detect_outbound_smb_traffic_filter	`search *`

detect_outbound_smb_traffic_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1071.002	File Transfer Protocols	Command And Control

Command and Control

DE.CM

CIS 13

Dragonfly

Kimsuky

SilverTerrier

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model

Known False Positives

It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as internal in the lookup file to avoid creating findings for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$

Risk Object	Risk Object Type	Risk Score	Threat Objects
src_ip	system	25	dest_ip

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	Not Applicable	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`conn.log`	`bro:conn:json`
Integration	✅ Passing	Dataset	`conn.log`	`bro:conn:json`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 10