KQL Search

Query Details

HomeAI ToolsDevice Query

Hunting Rogue Endpoints Via SMB Detection

Query

// Hunting Rogue Endpoints via SMB Detection

// In recent ransomware attacks, many adversaries leverage the SMB service to initiate attacks and conduct lateral movement. Therefore, a simple and effective control measure is to block SMB traffic between clients using Windows Firewall. If you have a firewall policy in place and are using Microsoft Defender for Endpoint (MDE), running the following Kusto Query Language (KQL) script will help you identify potential rogue endpoints plugged into your network that are attempting to attack other endpoints or an endpoint EDR that has been disabled by ransomware and is launching attacks within your network environment.

//Additionally, I’ve included the latest blog post from Seqrite, "Exposed SMB: The Hidden Risk Behind ‘WannaCry’ Ransomware Attacks," in the comments section. This post will help you understand the ransomware attack methodology and demonstrate how my KQL script can serve as an early warning detection mechanism.

// https://www.seqrite.com/blog/wanttocry-ransomware-smb-vulnerability/

DeviceEvents
| where ActionType == @"FirewallInboundConnectionBlocked"
| where LocalPort == "445"
| summarize TargetDevice=dcount(DeviceName) by RemoteIP
| where TargetDevice > 3

Explanation

This KQL query is designed to help identify potentially rogue endpoints on a network by monitoring blocked inbound SMB connections. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at DeviceEvents, which likely contains logs of various device activities.

  2. Filter Criteria:

    • It filters events where the action type is FirewallInboundConnectionBlocked, indicating that an inbound connection attempt was blocked by the firewall.
    • It further narrows down to connections targeting port 445, which is commonly used for SMB (Server Message Block) protocol.

  3. Analysis:

    • It counts the number of unique devices (TargetDevice) that have been targeted by blocked connections from each remote IP address (RemoteIP).

  4. Alert Condition:

    • It identifies remote IPs that have attempted to connect to more than three different devices, suggesting potentially suspicious behavior.

The purpose of this query is to detect unusual SMB traffic patterns that could indicate rogue devices or compromised endpoints attempting lateral movement within the network, which is a common tactic in ransomware attacks.

Details

Steven Lim profile picture

Steven Lim

Released: February 1, 2025

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

wheresummarizeby

Actions