SMB (Windows File Sharing) Activity to the Internet
This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
11the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
12systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
13threat actors as an initial access or backdoor vector or for data exfiltration.
14"""
15from = "now-9m"
16index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "SMB (Windows File Sharing) Activity to the Internet"
20references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
21risk_score = 73
22rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
23severity = "high"
24tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
30 network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and
31 source.ip:(
32 10.0.0.0/8 or
33 172.16.0.0/12 or
34 192.168.0.0/16
35 ) and
36 not destination.ip:(
37 10.0.0.0/8 or
38 127.0.0.0/8 or
39 169.254.0.0/16 or
40 172.16.0.0/12 or
41 192.0.0.0/24 or
42 192.0.0.0/29 or
43 192.0.0.8/32 or
44 192.0.0.9/32 or
45 192.0.0.10/32 or
46 192.0.0.170/32 or
47 192.0.0.171/32 or
48 192.0.2.0/24 or
49 192.31.196.0/24 or
50 192.52.193.0/24 or
51 192.168.0.0/16 or
52 192.88.99.0/24 or
53 224.0.0.0/4 or
54 100.64.0.0/10 or
55 192.175.48.0/24 or
56 198.18.0.0/15 or
57 198.51.100.0/24 or
58 203.0.113.0/24 or
59 240.0.0.0/4 or
60 "::1" or
61 "FE80::/10" or
62 "FF00::/8"
63 )
64'''
65note = """## Triage and analysis
66
67> **Disclaimer**:
68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
69
70### Investigating SMB (Windows File Sharing) Activity to the Internet
71
72SMB, a protocol for sharing files and resources within trusted networks, is vulnerable when exposed to the Internet. Adversaries exploit it for unauthorized access or data theft. The detection rule identifies suspicious SMB traffic from internal IPs to external networks, flagging potential threats by monitoring specific ports and excluding known safe IP ranges.
73
74### Possible investigation steps
75
76- Review the source IP address from the alert to identify the internal system initiating the SMB traffic. Check if this IP belongs to a known device or user within the organization.
77- Investigate the destination IP address to determine if it is associated with any known malicious activity or if it belongs to a legitimate external service that might require SMB access.
78- Analyze network logs to identify any patterns or anomalies in the SMB traffic, such as unusual data transfer volumes or repeated access attempts, which could indicate malicious activity.
79- Check for any recent changes or updates on the source system that might explain the SMB traffic, such as new software installations or configuration changes.
80- Correlate the alert with other security events or logs, such as authentication logs or endpoint security alerts, to gather additional context and determine if this is part of a broader attack or isolated incident.
81- Consult threat intelligence sources to see if there are any known vulnerabilities or exploits related to the SMB traffic observed, which could provide insight into potential attack vectors.
82
83### False positive analysis
84
85- Internal testing environments may generate SMB traffic to external IPs for legitimate reasons. Identify and whitelist these IPs to prevent false positives.
86- Cloud services or remote backup solutions might use SMB for data transfer. Verify these services and add their IP ranges to the exception list if they are trusted.
87- VPN connections can sometimes appear as external traffic. Ensure that VPN IP ranges are included in the list of known safe IPs to avoid misclassification.
88- Misconfigured network devices might inadvertently route SMB traffic externally. Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs.
89- Some third-party applications may use SMB for updates or data synchronization. Confirm the legitimacy of these applications and exclude their associated IPs from the detection rule.
90
91### Response and remediation
92
93- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
94- Conduct a thorough review of firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445.
95- Perform a comprehensive scan of the isolated system for malware or unauthorized access tools, focusing on identifying any backdoors or persistence mechanisms.
96- Reset credentials and review access permissions for any accounts that may have been compromised or used in the suspicious activity.
97- Notify the security operations center (SOC) and relevant stakeholders about the incident for further analysis and potential escalation.
98- Implement additional monitoring and logging for SMB traffic to detect any future unauthorized attempts to access the Internet.
99- Review and update security policies and procedures to prevent similar incidents, ensuring that SMB services are only accessible within trusted network segments."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1190"
106name = "Exploit Public-Facing Application"
107reference = "https://attack.mitre.org/techniques/T1190/"
108
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1048"
118name = "Exfiltration Over Alternative Protocol"
119reference = "https://attack.mitre.org/techniques/T1048/"
120
121
122[rule.threat.tactic]
123id = "TA0010"
124name = "Exfiltration"
125reference = "https://attack.mitre.org/tactics/TA0010/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating SMB (Windows File Sharing) Activity to the Internet
SMB, a protocol for sharing files and resources within trusted networks, is vulnerable when exposed to the Internet. Adversaries exploit it for unauthorized access or data theft. The detection rule identifies suspicious SMB traffic from internal IPs to external networks, flagging potential threats by monitoring specific ports and excluding known safe IP ranges.
Possible investigation steps
- Review the source IP address from the alert to identify the internal system initiating the SMB traffic. Check if this IP belongs to a known device or user within the organization.
- Investigate the destination IP address to determine if it is associated with any known malicious activity or if it belongs to a legitimate external service that might require SMB access.
- Analyze network logs to identify any patterns or anomalies in the SMB traffic, such as unusual data transfer volumes or repeated access attempts, which could indicate malicious activity.
- Check for any recent changes or updates on the source system that might explain the SMB traffic, such as new software installations or configuration changes.
- Correlate the alert with other security events or logs, such as authentication logs or endpoint security alerts, to gather additional context and determine if this is part of a broader attack or isolated incident.
- Consult threat intelligence sources to see if there are any known vulnerabilities or exploits related to the SMB traffic observed, which could provide insight into potential attack vectors.
False positive analysis
- Internal testing environments may generate SMB traffic to external IPs for legitimate reasons. Identify and whitelist these IPs to prevent false positives.
- Cloud services or remote backup solutions might use SMB for data transfer. Verify these services and add their IP ranges to the exception list if they are trusted.
- VPN connections can sometimes appear as external traffic. Ensure that VPN IP ranges are included in the list of known safe IPs to avoid misclassification.
- Misconfigured network devices might inadvertently route SMB traffic externally. Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs.
- Some third-party applications may use SMB for updates or data synchronization. Confirm the legitimacy of these applications and exclude their associated IPs from the detection rule.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Conduct a thorough review of firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445.
- Perform a comprehensive scan of the isolated system for malware or unauthorized access tools, focusing on identifying any backdoors or persistence mechanisms.
- Reset credentials and review access permissions for any accounts that may have been compromised or used in the suspicious activity.
- Notify the security operations center (SOC) and relevant stakeholders about the incident for further analysis and potential escalation.
- Implement additional monitoring and logging for SMB traffic to detect any future unauthorized attempts to access the Internet.
- Review and update security policies and procedures to prevent similar incidents, ensuring that SMB services are only accessible within trusted network segments.
References
Related rules
- Accepted Default Telnet Port Connection
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Command Execution via SolarWinds Process
- Execution from a Removable Media with Network Connection