Rare SMB Connection to the Internet

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/04"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/12/04"
 8
 9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Rare SMB Connection to the Internet"
20references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
21risk_score = 47
22rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "new_terms"
27
28query = '''
29event.category:network and host.os.type:windows and process.pid:4 and 
30  network.transport:tcp and destination.port:(139 or 445) and 
31  source.ip:(
32    10.0.0.0/8 or
33    172.16.0.0/12 or
34    192.168.0.0/16
35  ) and
36  not destination.ip:(
37    10.0.0.0/8 or
38    127.0.0.0/8 or
39    169.254.0.0/16 or
40    172.16.0.0/12 or
41    192.0.0.0/24 or
42    192.0.0.0/29 or
43    192.0.0.8/32 or
44    192.0.0.9/32 or
45    192.0.0.10/32 or
46    192.0.0.170/32 or
47    192.0.0.171/32 or
48    192.0.2.0/24 or
49    192.31.196.0/24 or
50    192.52.193.0/24 or
51    192.168.0.0/16 or
52    192.88.99.0/24 or
53    224.0.0.0/4 or
54    100.64.0.0/10 or
55    192.175.48.0/24 or
56    198.18.0.0/15 or
57    198.51.100.0/24 or
58    203.0.113.0/24 or
59    240.0.0.0/4 or
60    "::1" or
61    "FE80::/10" or
62    "FF00::/8"
63  )
64'''
65
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1048"
72name = "Exfiltration Over Alternative Protocol"
73reference = "https://attack.mitre.org/techniques/T1048/"
74
75
76[rule.threat.tactic]
77id = "TA0010"
78name = "Exfiltration"
79reference = "https://attack.mitre.org/tactics/TA0010/"
80
81
82
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["destination.ip"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-7d"

References

Related rules

to-top