Endpoint Protection

 View Only

  • 1.  SMB Bruteforce Attempt attack blocked

    Posted Dec 07, 2017 02:04 AM

    Hello,

    Recently we are observing events related to SMB bruteforce in the environment. I'm not sure what does it indicates. I checked Symantec documentation. The event secerity is low, but no clarity as tio what kind of activity this event  indicates. If anyone have more understanding about this can share there views.

    ​[SID: 30429] Audit: SMB Bruteforce Attempt attack blocked. Traffic has been blocked for this application: SYSTEM,
Local: XX.XX.XX.XX,
Local: 000000000000,
Remote: ,
Remote: XX.XX.XX.XX,
Remote: 000000000000,
Inbound,TCP,
Intrusion ID: 0,
Begin: 2017-12-07 10:41:36,
End: 2017-12-07 10:41:36,
Occurrences: 1,
Application: SYSTEM,
Location: Default,
User: XXXX,
Domain: XX,
Local Port 63283,
Remote Port 445,
CIDS Signature ID: 30429,
CIDS Signature string: Audit: SMB Bruteforce Attempt,
CIDS Signature SubID: 76406,
Intrusion URL: ,
Intrusion Payload URL: 
​

     



  • 2.  RE: SMB Bruteforce Attempt attack blocked

    Trusted Advisor
    Posted Dec 07, 2017 02:24 AM

    Hi Darshan,

    Check the IPS logs on the SEPM to see how widespread this detection is, and where it is coming from!

    Two Reasons why IPS is a "Must Have" for your Network
    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

    Check the Source of the Attack. If it is coming from a local network, remove the machine from the network.

    I recommend isolating that computer (and the remote computers, if they are inside your network), giving a full system scan with the latest Rapid Release definitions, and then running the SymDiag with Threat Analysis upon it.

    Using Today's SymDiag to Combat Today's Threats 
    https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

    If everything comes up clean, check your MS Patch level.  Ensure that every available patch is applied.  These will keep malware from exploiting known vulnerabilities.

    Audit: SMB Bruteforce Attempt

    https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30429

    Hope that helps!!



  • 3.  RE: SMB Bruteforce Attempt attack blocked

    Posted Dec 07, 2017 02:39 AM

    Hi Mithun,

    Appriciate your promt response. We are currently observing this originating from 1 IP.

    The consufing fact over here is, The remote port is 445 and traffic difection is incoming. So it has to be a response traffic which is getting marked as SMB Bruteforce Attack attempt. So which system is to be considered as an attacker over here?



  • 4.  RE: SMB Bruteforce Attempt attack blocked

    Posted Dec 07, 2017 05:16 AM

    Hi Darshan,

    Thansk for the post.  "Audit: SMB Bruteforce Attempt" is a signature designed to raise awareness if SMB is showing signs of misuse in an organization. (IPS Audit signatures are intended to alert admins about the presence of questionable traffic only. They do not block by default, though admins can chose to configure them to block if they wish.)

    The official write-up:

    Audit: SMB Bruteforce Attempt

    https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30429

     

    SMB- especially older releases- has played a major part in some of this past year's worst threats.  Attack: SMB Double Pulsar Ping, OS Attack: Microsoft SMB MS17-010 Disclosure Attempt and other signatures have blocked countless malicious network attacks.  This new SMB-related signature is designed to identify if a malware or attacker is trying to brute-force (like a dictionary attack) SMB credentials and gain access to a computer.       

    Malware and attacks can trigger this, but also poorly-designed legitimate software.  If you suspect that the detection is a False Positive, follow the steps in:

    Best Practice for Responding to Suspected IPS False Positives in Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH233625



  • 5.  RE: SMB Bruteforce Attempt attack blocked

    Posted Dec 07, 2017 06:47 AM

    What is the remote IP? Did you determine if it's internal or external to your network? If internal it should be tracked down and removed/investigated. If external, block it at your gateway firewall.



  • 6.  RE: SMB Bruteforce Attempt attack blocked

    Posted Dec 08, 2017 03:25 AM

    Hi Darshan,

    Just a ping to see if you were able to get this mystery solved?  The thread is still marked "needs solution."



  • 7.  RE: SMB Bruteforce Attempt attack blocked

    Posted Jan 30, 2018 06:51 AM

    Hi All,

     

    The issues is still there. I'll update the thread once I get something new.

     

    Regards,

    Darshan G. Parab



  • 8.  RE: SMB Bruteforce Attempt attack blocked

    Posted Jan 30, 2018 06:58 AM

    Hi Brian,

     

    The source is internal. We are still investigating.

     

    Regards,

    Darshan G. Parab



  • 9.  RE: SMB Bruteforce Attempt attack blocked
    Best Answer

    Posted Mar 06, 2018 01:01 AM

    Hi All,

     

    Apologies for a delayed reply.

    We were able to complete an investigation in on of the cases where we observed the mentioned signature.

    The attacker system was actully attempting to login to target systems over SMB with different credentials.

    We isolated the attacker from the network and carried out remediations.

    In some cases we also observe that there were some network shares where clients were trying to logon to. It wasn't a bruteforce attacke actully.

    So we can conclude that, in case we observe these detections in the network, we should investigate the endpoint associated with ephermal port in the logs.

    Also the system SMB logins were attempted on is to be checked to extract relevent logs from Windows Event logs that can indicate what attackers are trying to do.



  • 10.  RE: SMB Bruteforce Attempt attack blocked

    Posted Mar 06, 2018 04:57 AM

    Many thanks Darshan!