How to detect SMBv1 scanning and SMBv1 established connections

Last updated at Thu, 03 Dec 2020 19:25:21 GMT

It’s no secret the SMBv1 protocol has been used as an attack vector for ransomware and cryptocurrency mining. Microsoft has advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006, and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016. At a minimum, you should make sure that all Windows systems on your network have the MS17-010 patch applied.

One of the easiest ways to detect SMBv1 activity on your network is to monitor and analyze network traffic going to and from your file servers. Once you have your data source, which is sometimes referred to as wire data, you can use a SIEM tool like InsightIDR, which has network traffic analysis capabilities, to extract the file and folder information from the network packets.

SMBv1 scanning vs. established connections

There are two types of activity to watch out for when it comes to SMBv1 activity: clients that are trying to use SMBv1, and clients that are successfully connecting to servers using the SMBv1 protocol. The latter is more serious because it means you actually have servers on your network supporting and using SMBv1. Microsoft recommends immediately removing this old and vulnerable file-sharing protocol from all networks. The WannaCry and Petya ransomware attacks, for example, actually used the same SMBv1 exploit to replicate through networks.

1. SMBv1 connection attempts or SMBv1 scanning. This is where a client sends an SMB request to a server and the version flag is set to v1. The server may or may not accept the connection request.
2. SMBv1 connections. This is where a client and server have established a connection using SMBv1. You need to root out these first. At a minimum, make sure the client and server are fully patched.

Why use network traffic as a data source to detect SMBv1?

By monitoring network traffic, you can get visibility into file and folder activity. Log files do not always have the answer, since they only report about local server issues.

Flow data and packet data, which can be extracted from network traffic, is instant and way more flexible than log data. This data can provide an audit trail of all network-based file and folder activity and capture information such as:

• List of IP addresses and host names that connect to network shares
• Associated usernames so you know who did what
• How much bandwidth is associated with users accessing files and folders
• An inventory of actions such as delete, read, or rename, including date stamp