KQL Search

Query Details

HomeAI ToolsDevice Query

SMB NTLM Negotiation To Unknown Remote I Ps

Query

**SMB & NTLM Negotiation to Unknown Remote IPs**

**Description**: NetworkSignatureInspected just means the network sensor saw and matched a signature (it inspected the packet) — it doesn’t mean the flow was blocked. That’s the problem.
If your machines are negotiating SMB or NTLM with unknown remote IPs, you’ve got a real risk on your hands: data leakage, credential relay, or worm-style propagation. SMB to the Internet is almost never legitimate; if you don’t recognize the remote IP, treat it as suspicious.

The KQL query includes multiple conditions to detect not only default connections on legacy (139) or modern (445) SMB ports, but also cases where SMB is running over non-standard ports (attempts to evade simple port-based detection). It also extracts the SMB negotiation state so you can spot repeated or incomplete negotiation attempts (useful to detect scanning, failed auths, or relay attempts).

```
DeviceNetworkEvents
| extend af = parse_json(AdditionalFields)
| extend SignatureName = tostring(af.SignatureName)
| extend SigMatched = tostring(af.SignatureMatchedContent)
| extend SamplePacket = tostring(af.SamplePacketContent)
| where isnotempty(RemoteIP)
 and (RemotePort in (139, 445) or LocalPort in(139,445) or SigMatched contains "%FESMB" or SigMatched contains "%FFSMB" or SigMatched contains "NTLMSSP" or SamplePacket contains "NTLMSSP")
| where not(ipv4_is_private(RemoteIP)) and isnotempty(SignatureName)  // only public IPv4
| extend geo_ip = tostring(geo_info_from_ip_address(RemoteIP).country)
| where isnotempty(geo_ip)
| extend Combined = strcat(SigMatched, " ", SamplePacket)
| extend MsgTypeNum = case(
 Combined contains "%01%00%00%00" or Combined contains "\x01\x00\x00\x00", 1,
 Combined contains "%02%00%00%00" or Combined contains "\x02\x00\x00\x00", 2,
 Combined contains "%03%00%00%00" or Combined contains "\x03\x00\x00\x00", 3,
 0)
| extend MsgType = case(
 MsgTypeNum == 1, "Type 1 = client initiates (Negotiate)",
 MsgTypeNum == 2, "Type 2 = server responds with Challenge",
 MsgTypeNum == 3, "Type 3 = client sends response with credentials",
 "Unknown / not extracted")
| summarize make_set(RemotePort),Distinct_ports=dcount(RemotePort), count() by DeviceName,LocalPort, InitiatingProcessFileName,geo_ip,RemoteIP, SignatureName,MsgType, ActionType
| order by Distinct_ports
```

Explanation

This KQL query is designed to identify potentially risky network activities involving SMB (Server Message Block) and NTLM (NT LAN Manager) protocols. Here's a simplified breakdown of what the query does:

  1. Data Source: It analyzes network events from a dataset called DeviceNetworkEvents.

  2. Signature Inspection: The query checks for specific signatures in network packets to identify SMB and NTLM negotiation activities. It looks for these activities on both standard ports (139 and 445) and non-standard ports, which might indicate attempts to bypass simple port-based detection.

  3. Remote IP Filtering: It focuses on connections to remote IP addresses that are not private (i.e., public IPs), as these are more likely to be suspicious.

  4. Geolocation: The query extracts the country information of the remote IPs to provide additional context.

  5. SMB Negotiation States: It identifies the state of SMB negotiation by examining specific message types:

    • Type 1: Client initiates negotiation.
    • Type 2: Server responds with a challenge.
    • Type 3: Client responds with credentials.

  6. Summary and Analysis: The query summarizes the data by counting distinct remote ports and occurrences of these activities, grouping them by device name, local port, initiating process, geolocation, remote IP, signature name, message type, and action type.

  7. Sorting: Finally, it orders the results by the number of distinct ports involved, which can help prioritize investigation based on the diversity of ports used.

Overall, this query helps identify and analyze potentially unauthorized or suspicious SMB/NTLM activities with unknown remote IPs, which could pose security risks such as data leakage or unauthorized access.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 22, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsRemoteIPsSMBNTLMSignatureNameGeoIP

Operators

extendparse_jsontostringwhereisnotemptyincontainsnotipv4_is_privategeo_info_from_ip_addressstrcatcasesummarizemake_setdcountbyorder by

Actions