SMB Traffic from Non-Standard Process

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Low

Description

SMB traffic is usually performed by a standard set of privileged processes through designated ports.
The endpoint had a non-standard process communicating over ports normally used by SMB.
An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.

Attacker's Goals

  • using a custom protocol implementation that offers malicious functionality
  • Using the well-known SMB port with a different protocol to evade detection.
    Either way, the attacker's goal is to gain access to another endpoint on your network.
    The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative actions

  • Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

Variations

SMB Traffic from Non-Standard Process on a sensitive server

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Network Service Discovery (T1046)

Severity

Medium

Description

SMB traffic is usually performed by a standard set of privileged processes through designated ports.
The endpoint had a non-standard process communicating over ports normally used by SMB.
An attacker might be moving laterally by using tools that implement a custom version of the SMB protocol.

Attacker's Goals

  • using a custom protocol implementation that offers malicious functionality
  • Using the well-known SMB port with a different protocol to evade detection.
    Either way, the attacker's goal is to gain access to another endpoint on your network.
    The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative actions

  • Make sure the process is not a scanner that implements its version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their protocol implementations. For example, Java uses its Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.