KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Unkown Process Using Smb And Winrm

Query

# *Detect Unknown process using SMB or WinRM*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.002 | Remote Services: SMB/Windows Admin Shares | https://attack.mitre.org/techniques/T1021/002/ |
| T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ |

#### Description
WinRM and SMB are popular network protocols to perform lateral movement by adversaries (while there are some others as well). When an unknown process is performing SMB or WinRM network connections, this might indicate that a malware process is trying to move laterally to other devices in your network. 

> [!WARNING]
> This detection rule is the base for the detection. You will need to add environment specific finetuning in order to limit the BP detections on legitimate processes

#### Risk
This detection tries to detect malware performing lateral movement over SMB and WinRM.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://thecollective.eu/

## Defender XDR
```KQL
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort in ("5985", "5986", "445")
| where ActionType in~ ("ConnectionSuccess", "ConnectionAttempt",
"ConnectionFailed", "ConnectionRequest")
| where isnotempty(InitiatingProcessSHA256)
| invoke FileProfile(InitiatingProcessSHA256)
| where isnotempty(GlobalPrevalence) and GlobalPrevalence < 1000
```

Explanation

This query is designed to detect potentially malicious activity on a network by identifying unknown processes that are using specific network protocols, namely SMB (Server Message Block) and WinRM (Windows Remote Management), which are often used for lateral movement by attackers.

Here's a simplified breakdown of what the query does:

  1. Data Source: It looks at network events from devices, specifically focusing on events that have occurred in the last hour.

  2. Target Ports: It filters the events to those involving network connections on ports 5985, 5986, and 445. These ports are associated with WinRM and SMB services.

  3. Connection Types: It considers various types of connection actions, such as successful connections, attempts, failures, and requests.

  4. Process Identification: It checks for the presence of a SHA256 hash for the initiating process, which helps identify the specific process making the connection.

  5. File Profiling: It uses the FileProfile function to gather additional information about the process based on its SHA256 hash.

  6. Prevalence Check: It filters out processes that are globally prevalent (i.e., commonly seen across many systems) by only considering those with a global prevalence of less than 1000. This helps focus on less common, potentially suspicious processes.

The goal of this query is to identify unusual processes that might be indicative of malware attempting to move laterally across the network using SMB or WinRM. It serves as a base detection rule, and further customization is recommended to reduce false positives from legitimate processes.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimeGeneratedRemotePortActionTypeInitiatingProcessSHA256GlobalPrevalence

Operators

DeviceNetworkEvents|where>ago()inin~isnotempty()invokeFileProfile()and<

Actions