Rare SMB Connection to the Internet

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/12/04"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials
 13via rogue UNC path injection.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.network-*",
 18    "winlogbeat-*",
 19    "logs-windows.sysmon_operational-*",
 20    "endgame-*",
 21    "logs-m365_defender.event-*",
 22    "logs-sentinel_one_cloud_funnel.*",
 23]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Rare SMB Connection to the Internet"
 27references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
 28risk_score = 47
 29rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Exfiltration",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Microsoft Defender for Endpoint",
 39    "Data Source: Sysmon",
 40    "Data Source: SentinelOne",
 41    "Resources: Investigation Guide",
 42]
 43timestamp_override = "event.ingested"
 44type = "new_terms"
 45
 46query = '''
 47event.category:network and host.os.type:windows and process.pid:4 and
 48  network.transport:tcp and destination.port:(139 or 445) and
 49  source.ip:(
 50    10.0.0.0/8 or
 51    172.16.0.0/12 or
 52    192.168.0.0/16
 53  ) and
 54  not destination.ip:(
 55    10.0.0.0/8 or
 56    127.0.0.0/8 or
 57    169.254.0.0/16 or
 58    172.16.0.0/12 or
 59    192.0.0.0/24 or
 60    192.0.0.0/29 or
 61    192.0.0.8/32 or
 62    192.0.0.9/32 or
 63    192.0.0.10/32 or
 64    192.0.0.170/32 or
 65    192.0.0.171/32 or
 66    192.0.2.0/24 or
 67    192.31.196.0/24 or
 68    192.52.193.0/24 or
 69    192.168.0.0/16 or
 70    192.88.99.0/24 or
 71    224.0.0.0/4 or
 72    100.64.0.0/10 or
 73    192.175.48.0/24 or
 74    198.18.0.0/15 or
 75    198.51.100.0/24 or
 76    203.0.113.0/24 or
 77    240.0.0.0/4 or
 78    "::1" or
 79    "FE80::/10" or
 80    "FF00::/8"
 81  )
 82'''
 83note = """## Triage and analysis
 84
 85> **Disclaimer**:
 86> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 87
 88### Investigating Rare SMB Connection to the Internet
 89
 90Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges.
 91
 92### Possible investigation steps
 93
 94- Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization.
 95- Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems.
 96- Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse.
 97- Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts.
 98- Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign.
 99- Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host.
100
101### False positive analysis
102
103- Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives.
104- Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts.
105- Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list.
106- Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences.
107- Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods.
108
109### Response and remediation
110
111- Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement.
112- Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities.
113- Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges.
114- Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities.
115- Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure.
116- Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively.
117- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
118
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1048"
124name = "Exfiltration Over Alternative Protocol"
125reference = "https://attack.mitre.org/techniques/T1048/"
126
127
128[rule.threat.tactic]
129id = "TA0010"
130name = "Exfiltration"
131reference = "https://attack.mitre.org/tactics/TA0010/"
132
133[rule.new_terms]
134field = "new_terms_fields"
135value = ["destination.ip"]
136[[rule.new_terms.history_window_start]]
137field = "history_window_start"
138value = "now-7d"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Rare SMB Connection to the Internet

Server Message Block (SMB) is a protocol used for sharing files and printers within a network. Adversaries exploit SMB to exfiltrate data by injecting rogue paths to capture NTLM credentials. The detection rule identifies unusual SMB traffic from internal IPs to external networks, flagging potential exfiltration attempts by monitoring specific ports and excluding known safe IP ranges.

Possible investigation steps

  • Review the alert details to identify the internal source IP address involved in the SMB connection and verify if it belongs to a known or authorized device within the organization.
  • Check the destination IP address to determine if it is associated with any known malicious activity or if it belongs to an external network that should not be receiving SMB traffic from internal systems.
  • Investigate the process with PID 4 on the source host, which typically corresponds to the Windows System process, to identify any unusual activity or recent changes that could indicate compromise or misuse.
  • Analyze network logs to trace the SMB traffic flow and identify any patterns or additional connections that may suggest data exfiltration attempts.
  • Correlate the alert with other security events or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and determine if this is part of a larger attack campaign.
  • Consult with the IT or network team to verify if there are any legitimate business reasons for the detected SMB traffic to the external network, and if not, consider blocking the connection and conducting a deeper investigation into the source host.

False positive analysis

  • Internal network scanning tools may trigger alerts if they simulate SMB traffic to external IPs. Exclude IPs associated with these tools from the rule to prevent false positives.
  • Legitimate business applications that require SMB connections to external cloud services might be flagged. Identify and whitelist these specific external IPs or domains to avoid unnecessary alerts.
  • Backup solutions that use SMB for data transfer to offsite locations can be mistaken for exfiltration attempts. Ensure these backup service IPs are added to the exception list.
  • Misconfigured network devices that inadvertently route SMB traffic externally could cause false alerts. Regularly audit and correct device configurations to minimize these occurrences.
  • Security testing or penetration testing activities might generate SMB traffic to external IPs. Coordinate with security teams to temporarily disable the rule or add exceptions during testing periods.

Response and remediation

  • Immediately isolate the affected host from the network to prevent further data exfiltration or lateral movement.
  • Conduct a thorough review of the host's network connections and processes to identify any unauthorized SMB traffic or suspicious activities.
  • Reset credentials for any accounts that may have been exposed or compromised, focusing on those with elevated privileges.
  • Apply patches and updates to the affected system and any other vulnerable systems to mitigate known SMB vulnerabilities.
  • Implement network segmentation to limit SMB traffic to only necessary internal communications, reducing the risk of external exposure.
  • Enhance monitoring and logging for SMB traffic, particularly for connections to external IPs, to detect and respond to future anomalies more effectively.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

References

Related rules

to-top