How to detect SMBv1 scanning and SMBv1 established connections
Detect SMBv1 scanning and active or established connections
Detecting SMBv1 activity is a subject we have covered previously. It has been used as an attack vector for Ransomware and Cryptocurrency Mining. Microsoft has advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. At a minimum, you should make sure that all Windows systems on your network have the MS17-010 patch applied.
One of the easiest ways to detect SMBv1 activity on your network is to monitor network traffic going to and from your file servers. You can do this by setting up a SPAN, mirror port or use a network TAP. This will give you a copy of all activity going to and from the servers.
Once you have your data source which is sometimes referred to as wire data, you can use a network traffic analysis application like our own LANGuardian to extract the file and folder information from the network packets.
SMBv1 scanning vs established connections
There are two types of activity to watch out for when it comes to SMBv1 activity. Clients which are trying to use SMBv1 and clients which are successfully connecting to servers using the SMBv1 protocol. The latter is more serious as you actually have servers on your network supporting and using SMBv1. Microsoft recommends immediately removing this old and vulnerable file sharing protocol from all networks. The recent WannaCry and Petya ransomware attacks for example actually used the same SMBv1 exploit to replicate through networks.
- SMBv1 connection attempts or SMBv1 scanning. This is where a client sends an SMB request to a server and the version flag is set to v1. The server may or may not accept the connection request.
- SMBv1 connections. This is where a client and server have established a connection using SMBv1. You need to root out these first. At a minimum make sure the client and server are fully patched.
The video below shows an example of what to look out for once you get network traffic monitoring in place. A trial version of LANGuardian can be used to perform a quick audit if you do not have something in place already.
Why use network traffic as a data source to detect SMBv1?
By monitoring network traffic on your network you can get visibility of file and folder activity without the need for agents or log files. Agents can be difficult to deploy and scale and they become one other thing to update and manage. Log files do not always have the answer as they only report about local server issues.
Wire data which can be extracted from network traffic is instant and way more flexible than log data. This wire data can provide an audit trail of all network-based file and folder activity. Capture information such as:
- List of IP addresses and host names which connect to network shares
- Associated usernames so you know who did what
- See how much bandwidth is associated with users accessing files and folders
- Build an inventory of actions such as delete, read or rename including date stamp