Triggers

  • An internal host is utilizing the SMB protocol to make many login attempts using the same account(s), behavior which is consistent with a brute-force password attack
  • Many, though not necessarily all, of these authentications are observed to fail
  • The threat score is driven by the rate of login attempts
  • The certainty score is driven by the overall number of login attempts

Possible Root Causes

  • An infected host or a malicious insider in control of the host is trying to guess passwords for an account on another internal system
  • A misconfigured host is constantly trying to connect to one or more other internal systems using an incorrect password or trying to log into an account which no longer exists or is locked out

Business Impact

  • Successful harvesting of account credentials (usernames and passwords) of other accounts, particularly more privileged accounts, is a classic progression of a targeted attack
  • Even if triggered due to a misconfiguration, the identified behavior is creating significant stress on the target system and should be cleaned up

Steps to Verify

  1. Determine whether the internal host in question should be connecting to the target host using the indicated account(s); if not, this is likely malicious behavior
  2. Determine which process on the internal host is initiating the SMB requests; in Windows systems, this can be done using a combination of netstat and tasklist commands
  3. Verify that the process should be running on the internal host and whether the process is configured correctly