Rare SMB Connection to the Internet

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Exfiltration Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/04"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9
10[rule]
11author = ["Elastic"]
12description = """
13This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Rare SMB Connection to the Internet"
20references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
21risk_score = 47
22rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
25timestamp_override = "event.ingested"
26type = "new_terms"
27
28query = '''
29event.category:network and host.os.type:windows and process.pid:4 and 
30  network.transport:tcp and destination.port:(139 or 445) and 
31  source.ip:(
32    10.0.0.0/8 or
33    172.16.0.0/12 or
34    192.168.0.0/16
35  ) and
36  not destination.ip:(
37    10.0.0.0/8 or
38    127.0.0.0/8 or
39    169.254.0.0/16 or
40    172.16.0.0/12 or
41    192.0.0.0/24 or
42    192.0.0.0/29 or
43    192.0.0.8/32 or
44    192.0.0.9/32 or
45    192.0.0.10/32 or
46    192.0.0.170/32 or
47    192.0.0.171/32 or
48    192.0.2.0/24 or
49    192.31.196.0/24 or
50    192.52.193.0/24 or
51    192.168.0.0/16 or
52    192.88.99.0/24 or
53    224.0.0.0/4 or
54    100.64.0.0/10 or
55    192.175.48.0/24 or
56    198.18.0.0/15 or
57    198.51.100.0/24 or
58    203.0.113.0/24 or
59    240.0.0.0/4 or
60    "::1" or
61    "FE80::/10" or
62    "FF00::/8"
63  )
64'''
65
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1048"
72name = "Exfiltration Over Alternative Protocol"
73reference = "https://attack.mitre.org/techniques/T1048/"
74
75
76[rule.threat.tactic]
77id = "TA0010"
78name = "Exfiltration"
79reference = "https://attack.mitre.org/tactics/TA0010/"
80
81
82
83
84[rule.new_terms]
85field = "new_terms_fields"
86value = ["destination.ip"]
87[[rule.new_terms.history_window_start]]
88field = "history_window_start"
89value = "now-7d"

References

Related rules

to-top