SMB/KRB Traffic from Non-Standard Process

The Cortex XDR – Analytics SMB/KRB Traffic from Non-Standard Process alert indicates that a non-standard process has initiated traffic from ports typically used by SMB or Kerberos traffic.

Synopsis

10 minutes.
15 days.
14 days.
10 minutes.
  • Traffic logs or Traps endpoint data.
  • N2PA data collected by Pathfinder, or Traps installed on endpoints for at least 30 endpoints over the previous 14 days.
Lateral movement.

Description

On Microsoft Windows platforms, SMB and Kerberos traffic is usually performed by a standard set of processes through designated ports. These processes are typically run by a highly privileged account.
This alert indicates that ports have been used by a new process that are normally used by SMB or Kerberos. This alert can also be raised if the initiating account is not the normal Windows account.
This alert functions by comparing traffic logs generated by next-generation firewalls, network-to-process association (N2PA) created by Pathfinder, and data generated by Traps. Cortex XDR – Analytics can use Traps or N2PA data, but if neither are available the app cannot raise this alert.
If the non-standard process is previously unknown behavior, this alert is raised only on the first day of the attack. The network activity is base-lined after that and alerts are no longer raised. It is important to investigate the first appearance of this alert.

Attacker's Goals

This might be symptomatic of an attacker's lateral movements. The attacker could be using a custom protocol implementation that offers malicious functionality, or the attacker could be using a protocol other than SMB or Kerberos but that still uses the SMB or Kerberos well-known ports. Either way, the attacker's goal is to gain access to another endpoint on your network.
The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative Actions

  • Make sure the process is not a scanner that implements its own version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its own use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their own protocol implementations. For example, Java uses its own Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

Related Documentation