Rare SMB Connection to the Internet

calendar Oct 28, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Exfiltration Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne  ·
Share on: linkedin copy

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/12/04"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/28"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials
 13via rogue UNC path injection.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.network-*",
 18    "winlogbeat-*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21    "logs-m365_defender.event-*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Rare SMB Connection to the Internet"
 27references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
 28risk_score = 47
 29rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Exfiltration",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Microsoft Defender for Endpoint",
 39    "Data Source: Sysmon",
 40    "Data Source: SentinelOne",
 41]
 42timestamp_override = "event.ingested"
 43type = "new_terms"
 44
 45query = '''
 46event.category:network and host.os.type:windows and process.pid:4 and 
 47  network.transport:tcp and destination.port:(139 or 445) and 
 48  source.ip:(
 49    10.0.0.0/8 or
 50    172.16.0.0/12 or
 51    192.168.0.0/16
 52  ) and
 53  not destination.ip:(
 54    10.0.0.0/8 or
 55    127.0.0.0/8 or
 56    169.254.0.0/16 or
 57    172.16.0.0/12 or
 58    192.0.0.0/24 or
 59    192.0.0.0/29 or
 60    192.0.0.8/32 or
 61    192.0.0.9/32 or
 62    192.0.0.10/32 or
 63    192.0.0.170/32 or
 64    192.0.0.171/32 or
 65    192.0.2.0/24 or
 66    192.31.196.0/24 or
 67    192.52.193.0/24 or
 68    192.168.0.0/16 or
 69    192.88.99.0/24 or
 70    224.0.0.0/4 or
 71    100.64.0.0/10 or
 72    192.175.48.0/24 or
 73    198.18.0.0/15 or
 74    198.51.100.0/24 or
 75    203.0.113.0/24 or
 76    240.0.0.0/4 or
 77    "::1" or
 78    "FE80::/10" or
 79    "FF00::/8"
 80  )
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1048"
 88name = "Exfiltration Over Alternative Protocol"
 89reference = "https://attack.mitre.org/techniques/T1048/"
 90
 91
 92[rule.threat.tactic]
 93id = "TA0010"
 94name = "Exfiltration"
 95reference = "https://attack.mitre.org/tactics/TA0010/"
 96
 97[rule.new_terms]
 98field = "new_terms_fields"
 99value = ["destination.ip"]
100[[rule.new_terms.history_window_start]]
101field = "history_window_start"
102value = "now-7d"

References

Related rules

to-top