Spike in SMB Traffic

Description

This search looks for hosts with an unusually high increase in SMB network connections.


Use Case

Advanced Threat Detection, Security Monitoring

Category

Lateral Movement, Scanning

Alert Volume

Very Low (?)

SPL Difficulty

Hard

Journey

Stage 1

MITRE ATT&CK Tactics

Discovery
Lateral Movement

MITRE ATT&CK Techniques

Network Share Discovery
Remote File Copy
Remote Services

MITRE Threat Groups

APT1
APT18
APT28
APT3
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Cobalt Group
Dragonfly 2.0
Elderwood
FIN10
FIN7
FIN8
GCMAN
Gamaredon Group
Gorgon Group
Lazarus Group
Leviathan
Magic Hound
MuddyWater
OilRig
PLATINUM
Patchwork
Rancor
Soft Cell
Sowbug
TA505
TEMP.Veles
Threat Group-3390
Tropic Trooper
Turla
WIRTE
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Network Communication

   How to Implement

To run this search, you must index data from sources that observe network traffic, such as Bro, Splunk Stream, or firewalls. You can then identify spikes in the number of SMB connection attempts.

   Known False Positives

No known false positives.

   How To Respond

When this search fires, you will to start your incident response process to verify the activity of the system is legitimate. You should investigate and determine the process that initiated this traffic and verify its activities.

   Help

Spike in SMB Traffic Help

This search looks for hosts with an unusually high increase in SMB network connections.

SPL for Spike in SMB Traffic

Demo Data

First we pull in our demo dataset of Firewall logs
Next we filter for just SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of unique destinations per source IP, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation

Live Data

First we pull in our basic dataset, which comes from Firewall Logs for SMB connections.
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the last day.
Now we are looking at the number of unique destinations per source IP, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation