Rare SMB Connection to the Internet
This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/04"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Rare SMB Connection to the Internet"
20references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
21risk_score = 47
22rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
25timestamp_override = "event.ingested"
26type = "new_terms"
27
28query = '''
29event.category:network and host.os.type:windows and process.pid:4 and
30 network.transport:tcp and destination.port:(139 or 445) and
31 source.ip:(
32 10.0.0.0/8 or
33 172.16.0.0/12 or
34 192.168.0.0/16
35 ) and
36 not destination.ip:(
37 10.0.0.0/8 or
38 127.0.0.0/8 or
39 169.254.0.0/16 or
40 172.16.0.0/12 or
41 192.0.0.0/24 or
42 192.0.0.0/29 or
43 192.0.0.8/32 or
44 192.0.0.9/32 or
45 192.0.0.10/32 or
46 192.0.0.170/32 or
47 192.0.0.171/32 or
48 192.0.2.0/24 or
49 192.31.196.0/24 or
50 192.52.193.0/24 or
51 192.168.0.0/16 or
52 192.88.99.0/24 or
53 224.0.0.0/4 or
54 100.64.0.0/10 or
55 192.175.48.0/24 or
56 198.18.0.0/15 or
57 198.51.100.0/24 or
58 203.0.113.0/24 or
59 240.0.0.0/4 or
60 "::1" or
61 "FE80::/10" or
62 "FF00::/8"
63 )
64'''
65
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1048"
72name = "Exfiltration Over Alternative Protocol"
73reference = "https://attack.mitre.org/techniques/T1048/"
74
75
76[rule.threat.tactic]
77id = "TA0010"
78name = "Exfiltration"
79reference = "https://attack.mitre.org/tactics/TA0010/"
80
81
82
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["destination.ip"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-7d"
References
Related rules
- First Time Seen Removable Device
- Adobe Hijack Persistence
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process