Jump to content

SMB.Attack.Bruteforce


Recommended Posts

Verify that source IP address is one within your local subnet address range. Appears it is.

The source device is repeatedly trying to logon to the target IP address device and failing. This could be due to malware present on the source device. Or, an attacker that has gained remote access to the source device and from it is attempting to gain access to the target device.

Link to comment
Share on other sites

  • Administrators

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ELC logs for perusal.

Link to comment
Share on other sites

  • 1 month later...
On 12/26/2021 at 5:26 PM, Marcos said:

If you believe that what Itman wrote cannot be the case, you can enable advanced logging under Help and support -> Technical support, reboot the machine, reproduce the detection, stop logging and collect logs with ESET Log Collector. When done, provide ESET Log Collector logs for perusal.

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

Link to comment
Share on other sites

  • Most Valued Members
2 hours ago, Paneliya Mehulkumar said:

How can i give you logs ? I want to share ESVC & ESET Log Collector logs with eset technical support

Logs that are uploaded to the forum can only be accessed by ESET Staff , or you could send it to one of their staff through Private Message , if it wasn't possible to upload it to the forum due to the file size , you can upload it to some websites like Google Drive and share the link also with ESET staff

Link to comment
Share on other sites

  • 3 weeks later...
  • Administrators

The detection is correct, there's a brute-force SMB attack being performed on 172.17.5.69 against 172.17.5.68:

image.png

Link to comment
Share on other sites

  • Administrators
4 minutes ago, Paneliya Mehulkumar said:

What is the solution for this?

You should find out why is the attack happening; what is running there that could be causing it.

Link to comment
Share on other sites

  • Administrators

You can try uninstalling  "Winsent Innocenti 3.0.3".

The attacks are performed under the account svk\ST81$, no clue what it could be,

 

Link to comment
Share on other sites

Disabling sbm1 resolved the issue for this system. but we have more systems with the same issue which have different os. sending you logs for two more systems that have win7 and win8 

svinod.png

Link to comment
Share on other sites

  • Administrators

You should find out what is the svk\dkpdkk account which is used in the SMB attack:

image.png

 

Link to comment
Share on other sites

6 hours ago, Paneliya Mehulkumar said:

but we have more systems with the same issue which have different os. sending you logs for two more systems that have win7 and win8 

This Microsoft article shows how to disable SMBv1 for WIn7/8 plus server OS's: https://docs.microsoft.com/en-US/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

Additional ref.: https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858 .

Note this section if applicable to you:

Quote

Explorer Network Browsing

The Computer Browser service relies on SMB1 in order to populate the Windows Explorer Network (aka "Network Neighborhood"). This legacy protocol is long deprecated, doesn't route, and has limited security. Because it cannot function without SMB1, it is removed at the same time.
 
Edited by itman
Link to comment
Share on other sites

I will also add that there are know vulnerabilities that exist for SMBv2 such as this one: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-0633 . Most well known is the EternalBlue; aka Wanacry episode, exploit that attacked vulnerable SMBv2 OS versions.

Microsoft has issued patches for these for SMBv2 vulnerabilities for supported OS versions. Time you seriously considering updating your unsupported OS versions.

Edited by itman
Link to comment
Share on other sites

  • Administrators

Neither ELC nor ESVC logs were collected with the latest version of the tools so some information and data was not available to me.

For instance, on PG14 I've found the following:

User Account Control (UAC) is disabled.
Recommended action: Enable UAC

Logon events auditing is probably partially (or fully) disabled.
Recommended action: Enable (Launch secpol.msc and in Local Policies -> Audit Policy -> Audit logon events, check both Success and Failure.)

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

 

 

Link to comment
Share on other sites

Posted (edited)
On 2/28/2022 at 8:28 PM, itman said:

Do you have SMB ver. 1 disabled on the client devices?

Eset_SMB1.png.5381cd8ecc0e78f362a29b3518829621.png

Sorry for wrong observation, but disabling smb1 not resolved issue. Still both system (172.17.5.68>172.17.5.69) have smb attack.

smb3.png

Edited by Paneliya Mehulkumar
Link to comment
Share on other sites

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Quote

The following critical patches may be missing:
- MS17-010, codename "EternalBlue"  (https://technet.microsoft.com/en-us/library/security/MS17-010)

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

Link to comment
Share on other sites

I will also note that all the screen shots posted to date show a SMBv2 based attack.

Below are links to Microsoft update patches for all known SMBv2 vulnerabilities. If these have not been applied to the noted affected OS versions, you can be exploited by any of these.

Whereas Eset will detect a known exploit attempt and block it, the only way to prevent the exploit activity from occurring is to apply these updates.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0633

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0630

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-8444

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2018-0833

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0016

Below are additional SMB vulnerabilities not exclusive to SMBv2:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1206

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28325

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36960

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36972

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36974

Edited by itman
Link to comment
Share on other sites

On 3/2/2022 at 7:17 PM, itman said:

As a temporary measure, you can create an Eset firewall rule for the device associated with IP address, 172.17.5.68, to block all outbound TCP network traffic for port 445. Set the logging level for the rule to warning to record all events in the Eset Network protection log. Move the rule to the top of the existing Eset firewall rule set. This might yield the source process behind this activity.

Have you verified that this Windows update has been applied to the above device and for that matter, all devices on your network? 

We have created a firewall rule as per your instruction & collected logs again ,check it

svinod5smb.png

Link to comment
Share on other sites

  • Administrators

Asking again, what is the account svk\dkpdkk which is performing the brute-force attack?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...