Query Details
Endpoint SMB Exposed On Public Internet
Query
// Endpoint SMB exposed on Public Internet // Actor Profile: Seashell Blizzard // Seashell Blizzard (IRIDIUM) is a Russian cyber threat actor linked to the GRU. Active since 2013, they have conducted high-profile cyber attacks, including KillDisk, NotPetya, and FoxBlade. Their operations target critical infrastructure and support geopolitical objectives, using tools like Cobalt Strike and DarkCrystalRAT for espionage and sabotage. // The following list has some of the vulnerabilities this group has exploited recently. // CVE-2017-0143-Microsoft Server Message Block 1.0 (SMBv1) // CVE-2017-0145-Microsoft Server Message Block 1.0 (SMBv1) // I have provided a KQL detection for Endpoint SMB exposed on Public Internet for defenders to tighten their attack surface area against IRIDIUM DeviceNetworkEvents | where Timestamp > ago(30d) | where ActionType == @"InboundConnectionAccepted" | where LocalPort == "445" | where RemoteIPType == @"Public" | where not (ipv4_is_private(LocalIP)) // Mitre ATT&CK
Explanation
This KQL query is designed to help cybersecurity defenders identify potential vulnerabilities in their network by detecting endpoints that have the SMB (Server Message Block) service exposed to the public internet. Here's a simple breakdown of the query and its context:
-
Context: The query is part of a security strategy to protect against a Russian cyber threat actor known as Seashell Blizzard (also referred to as IRIDIUM), which is linked to the GRU. This group has been active since 2013 and is known for high-profile cyber attacks targeting critical infrastructure. They exploit vulnerabilities like those in Microsoft's SMBv1 protocol.
-
Purpose: The query aims to detect any devices on the network that have accepted inbound connections on port 445 (the default port for SMB) from public IP addresses. This is a potential security risk because it indicates that the SMB service is exposed to the internet, which could be exploited by attackers like Seashell Blizzard.
-
Query Breakdown:
DeviceNetworkEvents: This is the data source being queried, which contains network event logs.| where Timestamp > ago(30d): Filters the events to only include those from the last 30 days.| where ActionType == @"InboundConnectionAccepted": Focuses on events where an inbound connection was accepted.| where LocalPort == "445": Specifically looks for connections on port 445, used by SMB.| where RemoteIPType == @"Public": Ensures that the connection is coming from a public IP address, indicating exposure to the internet.| where not (ipv4_is_private(LocalIP)): Ensures that the local IP address is not a private IP, confirming that the device is accessible from the internet.
-
Mitre ATT&CK: The query is likely aligned with the Mitre ATT&CK framework, which is a knowledge base of adversary tactics and techniques. This helps defenders understand and mitigate threats like those posed by Seashell Blizzard.
Overall, this query helps security teams identify and mitigate the risk of SMB services being exposed to the public internet, which could be exploited by threat actors for espionage or sabotage.
Details
Steven Lim
Released: November 26, 2024
Tables
Keywords
Operators