SMB Traffic Allowed

SMB Traffic Allowed

Description

This use case looks for any SMB traffic allowed through your firewall.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Operations, Ransomware

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Execution
Lateral Movement

MITRE ATT&CK Techniques

Exploitation of Remote Services
Windows Admin Shares
Service Execution
Service Execution
SMB/Windows Admin Shares

MITRE Threat Groups

Threat Group-3390
APT28

Kill Chain Phases

Reconnaissance
Delivery

Data Sources

Network Communication

   How to Implement

To run this search, you need data from firewalls or other access control devices that mediate what traffic is allowed into your environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest.

   Known False Positives

This search does not filter for outgoing traffic, and assumes a firewall at the perimeter. You will need to exclude any company-owned subnets where you have firewall visibility, in order to remove false positives.

   How To Respond

When this search fires, you will to verify with your firewall block policy to see if SMB should be allowed through to your network. It is a best practice to not allow SMB from the Internet int your network.

   Help

SMB Traffic Allowed Help

This use case looks for any SMB traffic allowed through your firewall.

SPL for SMB Traffic Allowed

Demo Data

First we pull in our demo dataset of Firewall logs
Next we filter for just SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of connections per source / dest IP pair per day, over our time range

Live Data

First we pull in our basic dataset, which comes from Firewall Logs for SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of connections per source / dest IP pair per day, over our time range

Accelerated Data

Here we use tstats to query an accelerated data model that will allow us to find allowed SMB traffic in the environment, identified either by the standard dest_ports for SMB (139 and 445) or by a NGFW that detects the SMB app.