Server Message Block (SMB) is used by Windows to allow for file, pipe, and printer sharing over port 445/tcp. It allows for enumerating, and reading from and writing to file shares for a remote computer. Although it is heavily used by Windows servers for legitimate purposes and by users for file and printer sharing, many adversaries also use SMB to achieve Lateral Movement. Looking at this activity more closely to obtain an adequate sense of situational awareness may make it possible to detect adversaries moving between hosts in a way that deviates from normal activity. Because SMB traffic is heavy in many environments, this analytic may be difficult to turn into something that can be used to quickly detect an APT. In some cases, it may make more sense to run this analytic in a forensic fashion. Looking through and filtering its output after an intrusion has been discovered may be helpful in identifying the scope of compromise.
The source, destination, content, and time of each event.
|Technique||Tactic||Level of Coverage|
|Valid Accounts||Lateral Movement||Moderate|
|Data from Network Shared Drive||Exfiltration||Moderate|
|Windows Admin Shares||Lateral Movement||Moderate|
Although there may be more native ways to detect detailed SMB events on the host, they can be extracted out of network traffic. With the right protocol decoders, port 445 traffic can be filtered and even the file path (relative to the share) can be retrieved.
flow = search Flow:Message smb_events = filter flow where (dest_port == "445" and protocol == "smb") smb_events.file_name = smb_events.proto_info.file_name output smb_write
Data Model References