In addition to patching vulnerable Windows systems (see MS17-010), Microsoft has published STRONG guidance towards deactivating the SMBv1 protocol in today's networks. The Wannacry Ransomware outbreak of May 2017 is a clear example of the vulnerabilities inherent in this legacy protocol.
More details on Microsoft's guidance can be found here.
Deactivation of SMBv1 can be done via command line (i.e. Powershell) or via registry editor. Read here for detailed instructions.
Prior to making these changes, you should use the audit information presented in this bundle's dashboard to identify how and where SMBv1 is used in your environment. Before deactivating this protocol, please ensure that doing so won't impact users or production applications.
This bundle provides a trigger that can help detect SMBv1 and SMBv2 traffic by analyzing the SMB/CIFS network protocol (a file sharing protocol, traditionally for Microsoft Windows systems).
- (1) Trigger
- Ransomware SMB/CIFS Versions 1.0
- (1) Page
- Ransomware SMB Versions
- (2) Dynamic Groups
- CIFS Servers
- CIFS Clients
- (1) Application
- (1) Dashboard
- SMB/CIFS Versions
ExtraHop version 6.0 or later
Note: Your data feed (such as through an ERSPAN, RSPAN, RPCAP, or port mirror) must be configured correctly and able to view traffic for your SMB/CIFS network-attached storage.
- Download the bundle on this page.
- Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide.
Note: It's advised to disable the trigger after you're done identifying vulnerable machines.