Skip to main content
 
 
 
Splunk Lantern

Server Message Block (SMB) traffic connection spikes

 

Server Message Block (SMB) is a network file sharing and data fabric protocol. Ransomware authors can use SMB to trick a target machine into contacting a malicious server running inside a trusted network, or to any server outside of the network. This search looks for spikes in the number of Server Message Block (SMB) traffic connections, which can be indicative of ransomware attacks.

Prerequisites 

Network protocol data

Procedure

  1. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation. To run this search, your deployment needs to be ingesting your network traffic logs and populating the Network Traffic data model
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats allow_old_summaries=true count FROM datamodel=Network_Traffic WHERE ("All_Traffic.dest_port"=139 OR "All_Traffic.dest_port"=445 OR "All_Traffic.app"=smb) BY _time span=1h, "All_Traffic.src" 
| rename "All_Traffic.*" AS "*" 
| eventstats max(_time) AS maxtime 
| stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) AS count avg(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null))) AS avg stdev(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null))) AS stdev BY src 
| eval upperBound=(avg + (stdev * 2)), isOutlier=if(((count > upperBound) AND (num_data_samples >= 50)),1,0) 
| where (isOutlier == 1) 
| table src, count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats allow_old_summaries=true count FROM datamodel=Network_Traffic WHERE ("All_Traffic.dest_port"=139 OR "All_Traffic.dest_port"=445 OR "All_Traffic.app"=smb) BY _time span=1h, "All_Traffic.src"  Query the Network_Traffic data model object to search for all traffic with destination port 139 or 445 or traffic marked as SMB traffic. Sort by a time span of an hour, then the data model field All_Traffic.src.
| rename "All_Traffic.*" AS "*"  Rename data model fields for better readability.
| eventstats max(_time) AS maxtime  Return the most recent instance of each event in the results.
| stats count AS num_data_samples max(eval(if(_time >= relative_time(maxtime, "-70m@m"), count, null))) AS count avg(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null)))AS avg stdev(eval(if(_time<relative_time(maxtime, "-70m@m"), count, null))) AS stdev BY src  Calculate the mean, standard deviation, and most recent value. 
| eval upperBound=(avg + (stdev * 2)), isOutlier=if(((count > upperBound) AND (num_data_samples >= 50)),1,0) 

Calculate an upper bound for your baseline by adding the standard deviation multiplied by 2 to the average. Then, create a new column called isOutlier. If the count of SMB traffic connections is larger than the upper bound, return a value of 1 in the isOutlier column. Otherwise, return a value of 0.

Make sure your search time range is set appropriately or all new SMB traffic connections might seem larger than the upper bound.

| where (isOutlier == 1)  Return only results where the isOutlier value is 1, which indicates SMB traffic connections larger than the upper bound.
| table src, count Display the results in a table with columns in the order shown.

Next steps

False positives from this search may occur because a legitimate file server may experience high-demand loads that could cause this search to trigger.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack use case.