SMB (Windows File Sharing) Activity to the Internet
This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["network_traffic"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/17"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to
14the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted
15systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by
16threat actors as an initial access or backdoor vector or for data exfiltration.
17"""
18from = "now-9m"
19index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "SMB (Windows File Sharing) Activity to the Internet"
23references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
24risk_score = 73
25rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
26severity = "high"
27tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
33 network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and
34 source.ip:(
35 10.0.0.0/8 or
36 172.16.0.0/12 or
37 192.168.0.0/16
38 ) and
39 not destination.ip:(
40 10.0.0.0/8 or
41 127.0.0.0/8 or
42 169.254.0.0/16 or
43 172.16.0.0/12 or
44 192.0.0.0/24 or
45 192.0.0.0/29 or
46 192.0.0.8/32 or
47 192.0.0.9/32 or
48 192.0.0.10/32 or
49 192.0.0.170/32 or
50 192.0.0.171/32 or
51 192.0.2.0/24 or
52 192.31.196.0/24 or
53 192.52.193.0/24 or
54 192.168.0.0/16 or
55 192.88.99.0/24 or
56 224.0.0.0/4 or
57 100.64.0.0/10 or
58 192.175.48.0/24 or
59 198.18.0.0/15 or
60 198.51.100.0/24 or
61 203.0.113.0/24 or
62 240.0.0.0/4 or
63 "::1" or
64 "FE80::/10" or
65 "FF00::/8"
66 )
67'''
68
69
70[[rule.threat]]
71framework = "MITRE ATT&CK"
72[[rule.threat.technique]]
73id = "T1190"
74name = "Exploit Public-Facing Application"
75reference = "https://attack.mitre.org/techniques/T1190/"
76
77
78[rule.threat.tactic]
79id = "TA0001"
80name = "Initial Access"
81reference = "https://attack.mitre.org/tactics/TA0001/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1048"
86name = "Exfiltration Over Alternative Protocol"
87reference = "https://attack.mitre.org/techniques/T1048/"
88
89
90[rule.threat.tactic]
91id = "TA0010"
92name = "Exfiltration"
93reference = "https://attack.mitre.org/tactics/TA0010/"
References
Related rules
- Accepted Default Telnet Port Connection
- RPC (Remote Procedure Call) from the Internet
- RPC (Remote Procedure Call) to the Internet
- Unusual Linux Username
- Unusual Windows Remote User