Credential Access, NTLM stealing Over SMB
SBMNTLM
Query
DeviceNetworkEvents
| where ActionType == @"ConnectionSuccess"
| where (RemotePort==445 or RemotePort == 135)and RemoteIPType == @"Public" and InitiatingProcessVersionInfoCompanyName != @"VMware, Inc." and RemoteUrl !contains "google"Explanation
This query looks for outgoing internet traffic that could indicate NTLM stealing over SMB. It filters for connections on ports 445 or 135 to public IP addresses, excludes connections from VMware, and excludes connections to Google.
Details

Ali Hussein
Released: February 20, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEventsActionTypeRemotePortRemoteIPTypeInitiatingProcessVersionInfoCompanyNameRemoteUrl
Operators
where==orand!=contains