Skip to main content

High volume of outbound traffic over SMB

ID:smb_outbound_volume
Data type:IP
Severity:
Informational
-
Medium
MITRE ATT&CK:TA0010:T1048

Description

AlphaSOC detected suspicious outbound Server Message Block (SMB) traffic. SMB is typically used for file sharing and printer services within internal networks. Threat actors often use OSI application layer protocols such as SMB to exfiltrate data from compromised systems or to communicate with systems under their control within a victim's network, blending in with existing traffic to avoid detection.

Impact

Unexpected outbound SMB traffic may indicate ongoing communication with a command and control (C2) server or an attempt to exfiltrate data. This can result in the loss of sensitive data, intellectual property theft, or compliance violations.

Severity

SeverityCondition
Informational
Suspicious outbound SMB traffic
Medium
Suspicious high-volume outbound SMB traffic

Investigation and Remediation

Investigate the source and destination of the SMB traffic and verify whether it's authorized. Review logs to identify transferred files. If traffic is determined to be unauthorized, block it and isolate affected systems. Determine the extent of data loss and potential system compromise. To prevent future incidents, implement strict firewall rules to control outbound SMB traffic.

Known False Positives

  • Misconfigured applications attempting to access network shares over the Internet
  • Legitimate file transfers to cloud storage services using SMB protocols
  • Backup software using SMB protocols to transfer data to off-site storage