SMB (Windows File Sharing) Activity to the Internet
This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic", "panw"]
4maturity = "production"
5updated_date = "2024/09/18"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
11the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
12systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
13threat actors as an initial access or backdoor vector or for data exfiltration.
14"""
15from = "now-9m"
16index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "SMB (Windows File Sharing) Activity to the Internet"
20references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
21risk_score = 73
22rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
23severity = "high"
24tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
30 network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and
31 source.ip:(
32 10.0.0.0/8 or
33 172.16.0.0/12 or
34 192.168.0.0/16
35 ) and
36 not destination.ip:(
37 10.0.0.0/8 or
38 127.0.0.0/8 or
39 169.254.0.0/16 or
40 172.16.0.0/12 or
41 192.0.0.0/24 or
42 192.0.0.0/29 or
43 192.0.0.8/32 or
44 192.0.0.9/32 or
45 192.0.0.10/32 or
46 192.0.0.170/32 or
47 192.0.0.171/32 or
48 192.0.2.0/24 or
49 192.31.196.0/24 or
50 192.52.193.0/24 or
51 192.168.0.0/16 or
52 192.88.99.0/24 or
53 224.0.0.0/4 or
54 100.64.0.0/10 or
55 192.175.48.0/24 or
56 198.18.0.0/15 or
57 198.51.100.0/24 or
58 203.0.113.0/24 or
59 240.0.0.0/4 or
60 "::1" or
61 "FE80::/10" or
62 "FF00::/8"
63 )
64'''
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1190"
71name = "Exploit Public-Facing Application"
72reference = "https://attack.mitre.org/techniques/T1190/"
73
74
75[rule.threat.tactic]
76id = "TA0001"
77name = "Initial Access"
78reference = "https://attack.mitre.org/tactics/TA0001/"
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1048"
83name = "Exfiltration Over Alternative Protocol"
84reference = "https://attack.mitre.org/techniques/T1048/"
85
86
87[rule.threat.tactic]
88id = "TA0010"
89name = "Exfiltration"
90reference = "https://attack.mitre.org/tactics/TA0010/"
References
-
0.0.0.0/8 "This network" [RFC791], Section 3.2 1981-09 N/A True False False False True 0.0.0.0/32 "This host on this network" [RFC1122], Section 3.2.1.3 1981-09 N/A True False False False True 10.0...
Read More
Related rules
- Accepted Default Telnet Port Connection
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- IPSEC NAT Traversal Port Activity
- Possible FIN7 DGA Command and Control Behavior