large_internal_smb_download

Explanation

This event is triggered by Netography's Fusion Portal when it detects an internal data transfer over SMB (Server Message Block) with a data volume that exceeds an automatically determined baseline threshold. Auto Thresholding observes network traffic to determine a baseline for normal behavior and then defines thresholds as a number of standard deviations from that behavior. This event specifically looks for SMB data volumes that are multiple standard deviations greater than the learned baseline.

What to Look For

In the context of a network compromise, an anomalous internal SMB download may be an indication that attackers are gathering information from internal systems before moving it (exfiltrating it) off your network. This behavior is sometimes referred to as staging. Attackers frequently collect data from internal systems using SMB (the Server Message Block protocol which uses TCP port 445), because it is the most common protocol for sharing files between clients and servers and can be found in most computer networks. Systems offering SMB file shares are found even in heterogeneous networks and ransomware actors leverage this ubiquity to quickly and easily siphon up files. Detections of large internal SMB download are worthy of investigation because they may be indicative of a ransomware attack or industrial espionage in its early stages - before the data has left your network.

Investigate hosts that are the source of this sort of activity in order to make sure that it is authorized and expected, and the hosts have not been compromised. Ensure that hosts downloading large amounts of data over SMB are authorized to collect this data and that they are storing data in an approved manner. Check system and network logs for additional information to ensure that sensitive data is secure.

Related MITRE ATT&CK Categories

Data from Shared Network Drive, Technique T1039 - Enterprise