Detection: Detect Outbound SMB Traffic

Description

The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.

Search

 1
 2| tstats `security_content_summariesonly` 
 3earliest(_time) as start_time 
 4latest(_time) as end_time 
 5values(All_Traffic.action) as action 
 6values(All_Traffic.app) as app
 7values(sourcetype) as sourcetype count 
 8from datamodel=Network_Traffic where
 9  All_Traffic.action IN ("allowed", "allow") AND
10  (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
11AND All_Traffic.src_ip IN (
12  "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"
13) 
14AND NOT All_Traffic.dest_ip IN (
15"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", 
16"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", 
17"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", 
18"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", 
19"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
20)
21by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
22All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
23All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
24All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule 
25
26| `drop_dm_object_name("All_Traffic")`  
27
28| `security_content_ctime(start_time)`  
29
30| `security_content_ctime(end_time)` 
31
32| iplocation dest_ip 
33
34| `detect_outbound_smb_traffic_filter`

Data Source

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

This search requires you to be ingesting your network traffic and populating the Network_Traffic data model.

Known False Positives

It is likely that the outbound Server Message Block (SMB) traffic is legitimate, if the company's internal networks are not well-defined in the Assets and Identity Framework. Categorize the internal CIDR blocks as internal in the lookup file to avoid creating findings for traffic destined to those CIDR blocks. Any other network connection that is going out to the Internet should be investigated and blocked. Best practices suggest preventing external communications of all SMB versions and related protocols at the network boundary.

Associated Analytic Story

• Cisco Secure Firewall Threat Defense Analytics

• DHS Report TA18-074A

• Hidden Cobra Malware

• NOBELIUM Group

Risk Based Analytics (RBA)

Risk Message:

An outbound SMB connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 12