Detection: SMB Traffic Spike - MLTK

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Description

The following analytic identifies spikes in the number of Server Message Block (SMB) connections using the Machine Learning Toolkit (MLTK). It leverages the Network_Traffic data model to monitor SMB traffic on ports 139 and 445, applying a machine learning model to detect anomalies. This activity is significant because sudden increases in SMB traffic can indicate lateral movement or data exfiltration attempts by attackers. If confirmed malicious, this behavior could lead to unauthorized access, data theft, or further compromise of the network.

 1
 2| tstats `security_content_summariesonly` count values(All_Traffic.dest_ip) as dest values(All_Traffic.dest_port) as port from datamodel=Network_Traffic where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb by _time span=1h, All_Traffic.src 
 3| eval HourOfDay=strftime(_time, "%H") 
 4| eval DayOfWeek=strftime(_time, "%A") 
 5| `drop_dm_object_name(All_Traffic)` 
 6| apply smb_pdfmodel threshold=0.001 
 7| rename "IsOutlier(count)" as isOutlier 
 8| search isOutlier > 0 
 9| sort -count 
10| table _time src dest port count 
11| `smb_traffic_spike___mltk_filter`

Data Source

No data sources specified for this detection.

Macros Used

Name Value
security_content_summariesonly summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config``
smb_traffic_spike___mltk_filter search *
smb_traffic_spike___mltk_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1021 Remote Services Lateral Movement
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_13
APT28
APT3
APT32
APT39
APT41
Aquatic Panda
Blue Mockingbird
Chimera
Cinnamon Tempest
Deep Panda
FIN13
FIN8
Fox Kitten
Ke3chang
Lazarus Group
Moses Staff
Orangeworm
Play
Sandworm Team
Threat Group-1314
ToddyCat
Turla
Wizard Spider
Aquatic Panda
Ember Bear
Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To successfully implement this search, you will need to ensure that DNS data is populating the Network_Traffic data model. In addition, the latest version of Machine Learning Toolkit (MLTK) must be installed on your search heads, along with any required dependencies. Finally, the support search "Baseline of SMB Traffic - MLTK" must be executed before this detection search, because it builds a machine-learning (ML) model over the historical data used by this search. It is important that this search is run in the same app context as the associated support search, so that the model created by the support search is available for use. You should periodically re-run the support search to rebuild the model with the latest data available in your environment. This search produces a field (Number of events,count) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. This field contributes additional context to the notable. To see the additional metadata, add the following field, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):

  • Label: Number of events, Field: count Detailed documentation on how to create a new field within Incident Review is found here: https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details

Known False Positives

If you are seeing more results than desired, you may consider reducing the value of the threshold in the search. You should also periodically re-run the support search to re-build the ML model on the latest data. Please update the smb_traffic_spike_mltk_filter macro to filter out false positive results

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
tbd 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 5