Unsigned or Unencrypted SMB Connection to Share Established

calendar Oct 23, 2025 · attack.lateral-movement attack.t1021.002  ·
Share on: linkedin copy

Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

Sigma rule (View on GitHub)

 1title: Unsigned or Unencrypted SMB Connection to Share Established
 2id: 8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12
 3status: experimental
 4description: |
 5    Detects SMB server connections to shares without signing or encryption enabled.
 6    This could indicate potential lateral movement activity using unsecured SMB shares.    
 7author: Mohamed Abdelghani
 8date: 2025-10-19
 9references:
10    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
11tags:
12    - attack.lateral-movement
13    - attack.t1021.002
14logsource:
15    product: windows
16    service: smbserver-connectivity
17detection:
18    selection_shares:
19        EventID: 4000
20        ShareName|contains:
21            - 'IPC$'
22            - 'ADMIN$'
23            - 'C$'
24    selection_status:
25        - SigningUsed: 'false'
26        - EncyptionUsed: 'false' # Note: typo in the original event field name
27    filter_main_local_ips:
28        - ClientAddress|cidr:
29              # IPv4
30              # - '10.0.0.0/8'
31              - '127.0.0.0/8'
32              - '169.254.0.0/16'
33              # - '172.16.0.0/12'
34              # - '192.168.0.0/16'
35              # IPv6
36              - '::1/128'  # IPv6 loopback
37              - 'fe80::/10'  # IPv6 link-local addresses
38              - 'fc00::/7'  # IPv6 private addresses
39        # The filters below cover the XML raw log
40        - ClientAddress|contains:
41              # IPv6
42              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
43              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
44              - 'FC00000000000000' # fc00:: - IPv6 private addresses
45              # IPv4
46              # The "?" are meant to represent the port
47              # - '0200????C0A8' # 192.168.
48              # - '0200????AC' # 172.
49              # - '0200????0A' # 10.
50              - '0200????7F' # 127
51              - '0200????A9FE' # 169.254.
52    condition: all of selection_* and not 1 of filter_main_*
53falsepositives:
54    - Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.
55level: medium

References

Related rules

to-top