Query Details
SBMNTLM
Query
name: Credential Access, NTLM stealing Over SMB description: Outgoing Traffic to the internet which might indicate NTLM stealing references: tags: Credential Access, search_query: (DeviceNetworkEvents | where ActionType == @"ConnectionSuccess" | where (RemotePort==445 or RemotePort == 135)and RemoteIPType == @"Public" and InitiatingProcessVersionInfoCompanyName != @"VMware, Inc." and RemoteUrl !contains "google" ) Notes:
Explanation
This query looks for outgoing internet traffic that could indicate NTLM stealing over SMB. It filters for connections on ports 445 or 135 to public IP addresses, excludes connections from VMware, and excludes connections to Google.
Details
Ali Hussein
Released: February 20, 2024
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,ActionType,RemotePort,RemoteIPType,InitiatingProcessVersionInfoCompanyName,RemoteUrl
Operators
where==orand!=contains