KQL Search

Query Details

HomeAI ToolsDevice Query

Anomalous SMB Sessions Created

Query

# Anomalous amount of SMB sessions created (BloodHound)

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1018 | Remote System Discovery | https://attack.mitre.org/techniques/T1018|

#### Description
This detection rule is aimed to detect a host that performs SMB Discovery by alerting if a device creates more then 100 unique SMB sessions within 15 minutes. That is one of the characteristics of bloodhound. The SMB sessions can be used to identify remote systems.

#### Risk
A actor has gotten access to a system en performs a scan to identify possible lateral movement paths.

## Defender For Endpoint
```
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort == 445
| summarize
     TotalIpsAccessed = dcount(RemoteIP),
     RemoteIPs = make_set(RemoteIP),
     arg_max(Timestamp, *)
     by DeviceName, bin(Timestamp, 15m)
| where TotalIpsAccessed > 100 // Can be adjusted to reduce false positives
| project-reorder
     Timestamp,
     DeviceName,
     InitiatingProcessAccountDomain,
     InitiatingProcessAccountName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath
```
## Sentinel
```
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort == 445
| summarize
     TotalIpsAccessed = dcount(RemoteIP),
     RemoteIPs = make_set(RemoteIP),
     arg_max(TimeGenerated, *)
     by DeviceName, bin(TimeGenerated, 15m)
| where TotalIpsAccessed > 100 // Can be adjusted to reduce false positives
| project-reorder
     TimeGenerated,
     DeviceName,
     InitiatingProcessAccountDomain,
     InitiatingProcessAccountName,
     InitiatingProcessCommandLine,
     InitiatingProcessFolderPath
```

#### Versions
| Version | Comment |
| ---  | --- |
| 1.0 | Initial commit |
| 1.1 | Timespan update |

Explanation

This query is designed to detect a host that is performing SMB Discovery, which is a technique used to identify remote systems. It alerts if a device creates more than 100 unique SMB sessions within a 15-minute timeframe. This behavior is often associated with the BloodHound tool, which is used by attackers to identify possible lateral movement paths. The query retrieves network events from the past hour, filters for events on port 445 (the SMB port), and then summarizes the data by device name and time. It calculates the total number of unique IP addresses accessed and creates a set of those IP addresses. If the total number of unique IP addresses accessed is greater than 100, it returns the relevant information about the device and the initiating process. The query can be adjusted to reduce false positives.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 17, 2023

Tables

DeviceNetworkEvents

Keywords

Devices,Intune,User

Operators

whereTimestampagoRemotePort445summarizeTotalIpsAccesseddcountRemoteIPRemoteIPsmake_setarg_maxDeviceNamebinTotalIpsAccessedproject-reorderTimestampDeviceNameInitiatingProcessAccountDomainInitiatingProcessAccountNameInitiatingProcessCommandLineInitiatingProcessFolderPath

Actions