Query Details

Suspicious SMB Sessions

Query

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     TimeGenerated,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

About this query

Explanation

This KQL query is designed to help identify suspicious SMB (Server Message Block) activities on a network, which can be indicative of malicious behavior such as lateral movement by attackers. Here's a simplified breakdown of the steps involved in the query:

Step 1: Identify Devices with Most SMB Sessions

  • Objective: Find devices with the highest number of unique SMB connections.
  • Method:
    • Exclude domain controllers to reduce noise, as they typically generate many SMB connections.
    • Count unique remote IPs connected to each device over a specified timeframe (default is 24 hours).

Step 2: Investigate Files Creating SMB Sessions

  • Objective: Identify files responsible for initiating SMB sessions.
  • Method:
    • Exclude known benign processes (e.g., MDI Sensor, MDE Device Discovery).
    • Count unique SMB sessions initiated by each file to detect potentially suspicious files.

Step 3: Investigate Suspicious Files

  • Objective: Examine connections made by suspicious files identified in Step 2. - Method:
    • Focus on specific files (e.g., nmap.exe, bloodhound.exe) that are known for network scanning or reconnaissance.
    • Gather details about commands executed by these files.

Step 4: Investigate Devices with Suspicious Connections

  • Objective: Analyze all connections made by devices identified as suspicious.
  • Method:
    • List unique IPs accessed by these devices and count the total number of accessed IPs.

Optional Step 5: Investigate SMB File Copies

  • Objective: Detect unauthorized file copies over SMB.
  • Method:
    • Exclude whitelisted accounts.
    • List file copy activities, including file paths and names, performed by non-whitelisted accounts.

Conclusion

  • If suspicious or malicious activities are detected, further investigation can be conducted using additional Digital Forensics and Incident Response (DFIR) queries.

This query is useful for threat hunting and identifying potential security incidents involving SMB activities within a network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents IdentityDirectoryEvents

Keywords

DeviceNetworkEventsIdentityDirectoryRemoteIPNameInitiatingProcessFileFolderPathAccountDomainActionTypeTimeGeneratedTimestampAdditionalFields

Operators

letwheresummarizemake_setagodcountsortdynamicinin~<>==has_anyparse_jsonproject-renameproject-reorder

Actions

GitHub