SMB/KRB Traffic from Non-Standard Process

The
SMB/KRB Traffic from Non-Standard Process
Analytics alert indicates that a non-standard process has initiated traffic from ports typically used by SMB or Kerberos traffic.

Synopsis

10 minutes
15 days
14 days
10 minutes
  • Traffic logs or Cortex XDR agent endpoint data.
  • N2PA data collected by Pathfinder or the Cortex XDR agent installed on endpoints for at least 30 endpoints over the previous 14 days.
Severity
Varies by activity (High, Medium, or Low).

Description

On Microsoft Windows platforms, SMB and Kerberos traffic is usually performed by a standard set of processes through designated ports. These processes are typically run by a highly privileged account.
This alert indicates that ports have been used by a new process that are normally used by SMB or Kerberos. This alert can also be raised if the initiating account is not the normal Windows account.
This alert functions by comparing traffic logs generated by next-generation firewalls, network-to-process association (N2PA) created by Pathfinder, and endpoint data collected by the Cortex XDR agent. Cortex XDR can use the endpoint data or N2PA data, but if neither are available the app cannot raise this alert.
If the non-standard process is previously unknown behavior, this alert is raised only on the first day of the attack. The network activity is base-lined after that and alerts are no longer raised. It is important to investigate the first appearance of this alert.

Attacker's Goals

This might be symptomatic of an attacker's lateral movements. The attacker could be using a custom protocol implementation that offers malicious functionality, or the attacker could be using a protocol other than SMB or Kerberos but that still uses the SMB or Kerberos well-known ports. Either way, the attacker's goal is to gain access to another endpoint on your network.
The attacker could also be surveying your network by performing service scans over the well-known SMB or Kerberos ports.

Investigative Actions

  • Make sure the process is not a scanner that implements its own version of the protocol, and that the scanner use is for sanctioned purposes. For example, nmap enumerating SMB.
  • Make sure the process is not a sanctioned security product that creates standalone binaries for its own use. For example, Illusive Network honeypots.
  • Investigate the process to see if the high-level language used to implement the application is the source of the alert. Some high-level programming languages provide their own protocol implementations. For example, Java uses its own Kerberos implementation.
  • Examine the endpoint to see if it is infected with malware. If the parent-child chain of initiating processes has been infiltrated with a malicious replacement, then that replacement could be known malware.

Recommended For You