The SMB (Server Message Block) Brute-Force detection is designed to identify and alert on potential malicious activities aimed at exploiting SMB services through repeated password guessing attempts.

Triggering Behavior: Excessive Authentication Attempts

SMB Brute-force detection is triggered by an internal host rapidly utilizing multiple accounts through the SMB protocol, notably for activities that involve file sharing or RPC.

This behavior is indicative of an attempt to ascertain the existence of accounts, potentially followed by password brute-forcing using common or default passwords.

Underlying Reasons for SMB Brute-force

This behavior may be caused by attackers trying to uncover usable account credentials within a network. These accounts can then be used to escalate privileges or move laterally within the system.

Alternatively, it could be a benign scenario where a host provides services through a portal, leading to multiple users logging in for services requiring an SMB connection.

Business Impact of SMB Brute-force

The primary risk from SMB brute-force attacks is the unauthorized discovery and exploitation of internal accounts, posing significant threats to data security and network integrity.

Such reconnaissance is often the precursor to more severe attacks, potentially leading to substantial data breaches or system disruptions.

Steps to Verify

To effectively investigate an SMB Brute-Force alert, follow these steps:

  1. Determine whether the internal host in question should be connecting to the target host using the indicated account(s); if not, this is likely malicious behavior
  2. Determine which process on the internal host is initiating the SMB requests; in Windows systems, this can be done using a combination of netstat and tasklist commands
  3. Verify that the process should be running on the internal host and whether the process is configured correctly

Related MITRE ATT&CK Techniques

  • T1087 (Account Discovery): This technique involves enumeration of accounts on a system or network. SMB brute-force can often be a method of discovering usable account credentials.
  • T1110 (Brute Force): This involves attempting multiple passwords or hashing algorithms to guess correctly. The observed rapid use of multiple accounts through SMB matches this technique.