Abnormal SMB activity to multiple hosts

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

5 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

NDR Lateral Movement Analytics

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Low

Description

An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

  • Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
  • Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.

Variations

Highly rare SMB activity to multiple hosts

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Low

Description

An endpoint performed a new, and highly rare, SMB activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

  • Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
  • Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.


Highly rare SMB activity to multiple hosts

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Medium

Description

An endpoint performed a new, and highly rare SMB activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

  • Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
  • Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.


Abnormal SMB activity to multiple hosts

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Medium

Description

An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

  • Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
  • Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.


Abnormal SMB activity to multiple hosts

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services (T1021)

Severity

Low

Description

An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.

Attacker's Goals

An adversary may use different protocols to enumerate and plan its lateral movement over the network.

Investigative actions

  • Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
  • Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.