SMB Traffic Allowed

Description

This use case looks for any SMB traffic allowed through your firewall.


Use Case

Security Monitoring

Category

Operations

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 1

MITRE ATT&CK Tactics

Execution
Lateral Movement

MITRE ATT&CK Techniques

Exploitation of Remote Services
Windows Admin Shares
Service Execution

MITRE Threat Groups

APT28
APT3
APT32
Deep Panda
FIN6
FIN8
Honeybee
Ke3chang
Lazarus Group
Orangeworm
Silence
Threat Group-1314
Threat Group-3390
Turla

Kill Chain Phases

Reconnaissance
Delivery

Data Sources

Network Communication

   How to Implement

To run this search, you need data from firewalls or other access control devices that mediate what traffic is allowed into your environment. This is necessary so that the search can identify an 'action' taken on the traffic of interest.

   Known False Positives

This search does not filter for outgoing traffic, and assumes a firewall at the perimeter. You will need to exclude any company-owned subnets where you have firewall visibility, in order to remove false positives.

   How To Respond

When this search fires, you will to verify with your firewall block policy to see if SMB should be allowed through to your network. It is a best practice to not allow SMB from the Internet int your network.

   Help

SMB Traffic Allowed Help

This use case looks for any SMB traffic allowed through your firewall.

SPL for SMB Traffic Allowed

Demo Data

First we pull in our demo dataset of Firewall logs
Next we filter for just SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of connections per source / dest IP pair per day, over our time range

Live Data

First we pull in our basic dataset, which comes from Firewall Logs for SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of connections per source / dest IP pair per day, over our time range

Accelerated Data

Here we use tstats to query an accelerated data model that will allow us to find allowed SMB traffic in the environment, identified either by the standard dest_ports for SMB (139 and 445) or by a NGFW that detects the SMB app.