Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
5 Hours |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
NDR Lateral Movement Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
An endpoint performed a new, unfamiliar SMB activity to multiple hosts on the network.
Attacker's Goals
An adversary may use different protocols to enumerate and plan its lateral movement over the network.
Investigative actions
- Verify if the host is a newly deployed server that consists of SMB services to multiple hosts.
- Verify the legitimacy of the actor process (and its causality) that initiated this SMB traffic.
Variations
Highly rare SMB activity to multiple hostsHighly rare SMB activity to multiple hosts
Abnormal SMB activity to multiple hosts
Abnormal SMB activity to multiple hosts