SMB (Windows File Sharing) Activity to the Internet

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/17"
 8
 9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
14the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
15systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
16threat actors as an initial access or backdoor vector or for data exfiltration.
17"""
18from = "now-9m"
19index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "SMB (Windows File Sharing) Activity to the Internet"
23references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
24risk_score = 73
25rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
26severity = "high"
27tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
33  network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and
34  source.ip:(
35    10.0.0.0/8 or
36    172.16.0.0/12 or
37    192.168.0.0/16
38  ) and
39  not destination.ip:(
40    10.0.0.0/8 or
41    127.0.0.0/8 or
42    169.254.0.0/16 or
43    172.16.0.0/12 or
44    192.0.0.0/24 or
45    192.0.0.0/29 or
46    192.0.0.8/32 or
47    192.0.0.9/32 or
48    192.0.0.10/32 or
49    192.0.0.170/32 or
50    192.0.0.171/32 or
51    192.0.2.0/24 or
52    192.31.196.0/24 or
53    192.52.193.0/24 or
54    192.168.0.0/16 or
55    192.88.99.0/24 or
56    224.0.0.0/4 or
57    100.64.0.0/10 or
58    192.175.48.0/24 or
59    198.18.0.0/15 or
60    198.51.100.0/24 or
61    203.0.113.0/24 or
62    240.0.0.0/4 or
63    "::1" or
64    "FE80::/10" or
65    "FF00::/8"
66  )
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1190"
74name = "Exploit Public-Facing Application"
75reference = "https://attack.mitre.org/techniques/T1190/"
76
77
78[rule.threat.tactic]
79id = "TA0001"
80name = "Initial Access"
81reference = "https://attack.mitre.org/tactics/TA0001/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1048"
86name = "Exfiltration Over Alternative Protocol"
87reference = "https://attack.mitre.org/techniques/T1048/"
88
89
90[rule.threat.tactic]
91id = "TA0010"
92name = "Exfiltration"
93reference = "https://attack.mitre.org/tactics/TA0010/"