Query Details

Anomalous amount of SMB sessions created (BloodHound)

Anomalous SMB Sessions Created

Query

let Threshold = 50; // Can be adjusted to reduce false positives
DeviceNetworkEvents
| where ingestion_time() > ago(1h)
| where RemotePort == 445
| summarize
     TotalIpsAccessed = dcount(RemoteIP),
     RemoteIPs = make_set(RemoteIP),
     arg_max(Timestamp, *)
     by DeviceName, bin(Timestamp, 15m)
| where TotalIpsAccessed >= Threshold 
| project-reorder Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath

About this query

Anomalous amount of SMB sessions created (BloodHound)

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1018Remote System Discoveryhttps://attack.mitre.org/techniques/T1018

Description

This detection rule is aimed to detect a host that performs SMB Discovery by alerting if a device creates more then 50 unique SMB sessions within 15 minutes. That is one of the characteristics of bloodhound. The SMB sessions can be used to identify remote systems.

Risk

A actor has gotten access to a system en performs a scan to identify possible lateral movement paths.

Defender XDR

Sentinel

let Threshold = 50; // Can be adjusted to reduce false positives
DeviceNetworkEvents
| where ingestion_time() > ago(1h)
| where RemotePort == 445
| summarize
     TotalIpsAccessed = dcount(RemoteIP),
     RemoteIPs = make_set(RemoteIP),
     arg_max(TimeGenerated, *)
     by DeviceName, bin(TimeGenerated, 15m)
| where TotalIpsAccessed >= Threshold 
| project-reorder TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath

Explanation

This query is designed to detect unusual activity on a network that might indicate a security threat. Specifically, it looks for devices that are creating a large number of SMB (Server Message Block) sessions in a short period of time, which could be a sign of a tool like BloodHound being used for network discovery.

Here's a simple breakdown of what the query does:

  1. Threshold Setting: It sets a threshold of 50 unique SMB sessions within 15 minutes. This threshold can be adjusted to reduce false positives.

  2. Data Source: The query looks at network events from devices, specifically those that have been ingested in the last hour.

  3. Filter Criteria: It filters the events to only include those where the remote port is 445, which is used for SMB communication.

  4. Aggregation: It counts the number of unique IP addresses accessed by each device within 15-minute intervals.

  5. Alert Condition: If a device accesses 50 or more unique IPs within a 15-minute window, it is flagged as potentially suspicious.

  6. Output: The query outputs details such as the timestamp, device name, command line of the initiating process, account name, and folder path of the initiating process for further investigation.

This query helps identify potential security threats by flagging devices that might be scanning the network for vulnerable systems, which is a common precursor to lateral movement within a network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: July 23, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPTimestampNameInitiatingProcessCommandLineAccountFolderPath

Operators

let//|where>ago()==summarizedcount()make_set()arg_max()bybin()>=project-reorder

MITRE Techniques

Actions

GitHub