Techniques
Sample rules
Detect Outbound SMB Traffic
- source: splunk
- technicques:
- T1071.002
- T1071
Description
The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers, a method commonly exploited for Windows file-sharing activities. It identifies this behavior by monitoring network traffic for SMB requests directed towards the Internet, which are not typical for standard operations. This detection is crucial for a Security Operations Center (SOC) as it can indicate an attackers attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. The impact of such an attack includes unauthorized access to sensitive data and potential full system compromise.
Detection logic
| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") by All_Traffic.src_ip
| `drop_dm_object_name("All_Traffic")`
| eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" ,dest_ip) ,"1", 1=1,"0")
| search match=0
| fields - match
| `security_content_ctime(start_time)`
| `security_content_ctime(end_time)`
| `detect_outbound_smb_traffic_filter`