Rare SMB Connection to the Internet

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Exfiltration Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/04"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials
11via rogue UNC path injection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Rare SMB Connection to the Internet"
18references = ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"]
19risk_score = 47
20rule_id = "f580bf0a-2d23-43bb-b8e1-17548bb947ec"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Exfiltration",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29    "Data Source: Sysmon",
30]
31timestamp_override = "event.ingested"
32type = "new_terms"
33
34query = '''
35event.category:network and host.os.type:windows and process.pid:4 and 
36  network.transport:tcp and destination.port:(139 or 445) and 
37  source.ip:(
38    10.0.0.0/8 or
39    172.16.0.0/12 or
40    192.168.0.0/16
41  ) and
42  not destination.ip:(
43    10.0.0.0/8 or
44    127.0.0.0/8 or
45    169.254.0.0/16 or
46    172.16.0.0/12 or
47    192.0.0.0/24 or
48    192.0.0.0/29 or
49    192.0.0.8/32 or
50    192.0.0.9/32 or
51    192.0.0.10/32 or
52    192.0.0.170/32 or
53    192.0.0.171/32 or
54    192.0.2.0/24 or
55    192.31.196.0/24 or
56    192.52.193.0/24 or
57    192.168.0.0/16 or
58    192.88.99.0/24 or
59    224.0.0.0/4 or
60    100.64.0.0/10 or
61    192.175.48.0/24 or
62    198.18.0.0/15 or
63    198.51.100.0/24 or
64    203.0.113.0/24 or
65    240.0.0.0/4 or
66    "::1" or
67    "FE80::/10" or
68    "FF00::/8"
69  )
70'''
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1048"
77name = "Exfiltration Over Alternative Protocol"
78reference = "https://attack.mitre.org/techniques/T1048/"
79
80
81[rule.threat.tactic]
82id = "TA0010"
83name = "Exfiltration"
84reference = "https://attack.mitre.org/tactics/TA0010/"
85
86[rule.new_terms]
87field = "new_terms_fields"
88value = ["destination.ip"]
89[[rule.new_terms.history_window_start]]
90field = "history_window_start"
91value = "now-7d"

References

Related rules

to-top