Jump to content

SMB.Attack.Bruteforce

Paneliya Mehulkumar
 Share

Recommended Posts

itman

itman 1,627

Posted
Posted

Verify that source IP address is one within your local subnet address range. Appears it is.

The source device is repeatedly trying to logon to the target IP address device and failing. This could be due to malware present on the source device. Or, an attacker that has gained remote access to the source device and from it is attempting to gain access to the target device.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ELC logs for perusal.

Link to comment
Share on other sites
  • 1 month later...
Paneliya Mehulkumar

Paneliya Mehulkumar 0

Posted
  • Author
Posted
On 12/26/2021 at 5:26 PM, Marcos said:

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ESET Log Collector logs for perusal.

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 198

Posted
  • Most Valued Members
Posted
2 hours ago, Paneliya Mehulkumar said:

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

Logs that are uploaded to the forum can only be accessed by ESET Staff , or you could send it to one of their staff through Private Message , if it wasn't possible to upload it to the forum due to the file size , you can upload it to some websites like Google Drive and share the link also with ESET staff

Link to comment
Share on other sites
  • 3 weeks later...
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted
4 minutes ago, Paneliya Mehulkumar said:

What is the solution for this?

You should find out why is the attack happening; what is running there that could be causing it.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

You can try uninstalling  "Winsent Innocenti 3.0.3".

The attacks are performed under the account svk\ST81$, no clue what it could be,

 

Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted
8 hours ago, Marcos said:

You can try uninstalling  "Winsent Innocenti 3.0.3".

Also of note is this software might not be compatible with Win 10:

Quote

Winsent Innocenti works in any version of Windows (8/7/Vista/XP/2000).

https://www.winsentmessenger.com/innocenti/

Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted (edited)
6 hours ago, Paneliya Mehulkumar said:

but we have more systems with the same issue which have different os. sending you logs for two more systems that have win7 and win8 

This Microsoft article shows how to disable SMBv1 for WIn7/8 plus server OS's: https://docs.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

Additional ref.: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 .

Note this section if applicable to you:

Quote

Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.
 
Edited by itman
Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted (edited)

I will also add that there are know vulnerabilities that exist for SMBv2 such as this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0633 . Most well known is the EternalBlue; aka Wanacry episode, exploit that attacked vulnerable SMBv2 OS versions.

Microsoft has issued patches for these for SMBv2 vulnerabilities for supported OS versions. Time you seriously considering updating your unsupported OS versions.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,909

Posted
  • Administrators
Posted

Neither ELC nor ESVC logs were collected with the latest version of the tools so some information and data was not available to me.

For instance, on PG14 I've found the following:

User Account Control (UAC) is disabled.
Recommended action: Enable UAC

Logon events auditing is probably partially (or fully) disabled.
Recommended action: Enable (Launch secpol.msc and in Local Policies -> Audit Policy -> Audit logon events, check both Success and Failure.)

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

 

 

Link to comment
Share on other sites
Paneliya Mehulkumar

Paneliya Mehulkumar 0

Posted
  • Author
Posted (edited)
On 2/28/2022 at 8:28 PM, itman said:

Do you have SMB ver. 1 disabled on the client devices?

Eset_SMB1.png.5381cd8ecc0e78f362a29b3518829621.png

Sorry for wrong observation, but disabling smb1 not resolved issue. Still both system (172.17.5.68>172.17.5.69) have smb attack.

smb3.png

Edited by Paneliya Mehulkumar
Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Quote

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

Link to comment
Share on other sites
itman

itman 1,627

Posted
Posted (edited)

I will also note that all the screen shots posted to date show a SMBv2 based attack.

Below are links to Microsoft update patches for all known SMBv2 vulnerabilities. If these have not been applied to the noted affected OS versions, you can be exploited by any of these.

Whereas Eset will detect a known exploit attempt and block it, the only way to prevent the exploit activity from occurring is to apply these updates.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0633

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0630

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8444

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0833

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0016

Below are additional SMB vulnerabilities not exclusive to SMBv2:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1206

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28325

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36960

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36972

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36974

Edited by itman
Link to comment
Share on other sites
Paneliya Mehulkumar

Paneliya Mehulkumar 0

Posted
  • Author
Posted
On 3/2/2022 at 7:17 PM, itman said:

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

We have created a firewall rule as per your instruction & collected logs again ,check it

svinod5smb.png

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...