DETECTION OVERVIEW

New Outbound SMB Connection

Risk Factors

SMB network traffic does not typically traverse the network perimeter. Any SMB traffic that crosses the network perimeter without authorization should be investigated for signs of malicious activity.

Legitimate external SMB traffic associated with cloud-based instances, port forwarding, or packet filtering at the network perimeter might often look like traffic to unauthorized file servers. Configure Network Localities in the ExtraHop system to classify legitimate external SMB traffic as internal.

The system might change the risk score for this detection.

Kill Chain

Caution

Risk Score

Attack Background

N/A

Mitigation Options

Quarantine the device while checking for indicators of compromise

Block SMB inbound and outbound traffic at the network perimeter

MITRE ATT&CK ID

T1021
T1187

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases