Spike in SMB Traffic

Spike in SMB Traffic

Description

This search looks for hosts with an unusually high increase in SMB network connections.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring

Category

Lateral Movement, Ransomware, Scanning

Alert Volume

Very Low

SPL Difficulty

Hard

Data Availability

Bad

Journey

Stage 1

MITRE ATT&CK Tactics

Discovery
Lateral Movement

MITRE ATT&CK Techniques

Network Share Discovery
Ingress Tool Transfer
Remote Services

MITRE Threat Groups

Sowbug
Chimera
APT39
APT32
Gamaredon Group
Elderwood
Whitefly
PLATINUM
Patchwork
TA505
Rancor
Cobalt Group
Soft Cell
Lazarus Group
APT3
Molerats
Turla
Tropic Trooper
Leviathan
Frankenstein
BRONZE BUTLER
Sharpshooter
Dragonfly 2.0
OilRig
APT41
APT38
APT-C-36
APT1
Rocke
DarkVishnya
Silence
FIN7
Threat Group-3390
APT18
MuddyWater
WIRTE
menuPass
APT28
APT33
Sandworm Team
FIN8
Gorgon Group
APT37
Magic Hound

Kill Chain Phases

Actions On Objectives

Data Sources

Network Communication

   How to Implement

To run this search, you must index data from sources that observe network traffic, such as Bro, Splunk Stream, or firewalls. You can then identify spikes in the number of SMB connection attempts.

   Known False Positives

No known false positives.

   How To Respond

When this search fires, you will to start your incident response process to verify the activity of the system is legitimate. You should investigate and determine the process that initiated this traffic and verify its activities.

   Help

Spike in SMB Traffic Help

This search looks for hosts with an unusually high increase in SMB network connections.

SPL for Spike in SMB Traffic

Demo Data

First we pull in our demo dataset of Firewall logs
Next we filter for just SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of unique destinations per source IP, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation

Live Data

First we pull in our basic dataset, which comes from Firewall Logs for SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of unique destinations per source IP, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation