SMB/KRB Traffic from Non-Standard Process
The Cortex XDR – Analytics SMB/KRB Traffic from Non-Standard Process alert indicates that a non-standard process has initiated traffic from ports typically used by SMB or Kerberos traffic.
On Microsoft Windows platforms, SMB and Kerberos traffic is usually performed by a standard set of processes through designated ports. These processes are typically run by a highly privileged account.
This alert indicates that ports have been used by a new process that are normally used by SMB or Kerberos. This alert can also be raised if the initiating account is not the normal Windows account.
This alert functions by comparing traffic logs generated by next-generation firewalls, network-to-process association (N2PA) created by Pathfinder, and data generated by Traps. Cortex XDR – Analytics can use Traps or N2PA data, but if neither are available the app cannot raise this alert.
If the non-standard process is previously unknown behavior, this alert is raised only on the first day of the attack. The network activity is base-lined after that and alerts are no longer raised. It is important to investigate the first appearance of this alert.
This might be symptomatic of an attacker's lateral movements. The attacker could be using a custom protocol implementation that offers malicious functionality, or the attacker could be using a protocol other than SMB or Kerberos but that still uses the SMB or Kerberos well-known ports. Either way, the attacker's goal is to gain access to another endpoint on your network.
The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.
- Make sure the process is not a scanner that implements its own version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
- Make sure the process is not a sanctioned security product that creates standalone binaries for its own use. For example, Illusive Network honeypots.
- Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their own protocol implementations. For example, Java uses its own Kerberos implementation.
- Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.
New Features: March 2019
New Features: March 2019 Feature Description Introducing Cortex XDR – Analytics! Palo Alto Networks Magnifier is now Palo Alto Networks Cortex XDR – Analytics. The user interface ...
View on-going and queued Pathfinder scans, Pathfinder scan history, and suspicious devices undergoing N2PA monitoring. ...
New Features: January 2019
New Features: January 2019 Latest Magnifier Features About Each Feature Alert Status Change Magnifier alert status names have changed: What was Unverified is now Low ...
Cortex XDR – Analytics Pathfinder Page
The app’s Pathfinder page allows you to configure Pathfinder options. ...
Run a Manual Pathfinder Scan
Run a Manual Pathfinder Scan Pathfinder™ is a virtual machine that you install on your network. It is used to interrogate your endpoints for suspicious ...
Cortex XDR – Analytics Management
The management menu provides access to pages that let you manage whitelist rules, view the audit log, and give you visibility into Pathfinder scanning. ...
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...