Query Details
Suspicious SMB Sessions
Query
# Suspicious SMB Sessions
SMB can be used in various ways by attackers, such as accessing remote shares, transfering files, interacting with systems using RPC calls and remote code execution. Actors are known to use SMB to perform reconnaissance on open systems in order to perform lateral movement. The goal of this Threat Hunting case is to find suspicious SMB activities within the network. Defender For Endpoint logging will be used to hunt for the activities (and optionally Defender For Identity).
## Step 1: List the devices that have the most SMB Sessions
The first step is to get intsight in the devices that have the most unique SMB connections. There is a filter on Domain Controllers, because they normaly generate a lot of noise (via MDI), the filter can be removed if you want to include your Domain Controllers.
### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // THis is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
DeviceNetworkEvents
| where LocalPort == 88
| where LocalIPType == "FourToSixMapping"
| summarize make_set(DeviceId);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections
```
## Step 2 Investigate what Files created the SMB Sessions
In Windows some files are known to set up benign SMB sessions or to map shares. FileNames as nmap or bloodhound can be detected via this detection rule. This is done by counting the unique SMB sessions that have been generated by each file.
### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath
```
## Step 3: Investigate suspicious files
Based on the output of step 2, the files that seem suspicious can be added to the list in the query. We will then investigate what connections are made using those files and what processes generated those activities. As example nmap and bloodhound have been added, the FileNames list is not limited to .exe files, any filetype can be added.
# SMB Sessions by FileName
### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName
```
## Step 4: Investigate the Devices
This step investigates all connections made by the devices that have created suspicious connections. Those devices can be collected based on the previous steps. The endresult will be a list with al the unique IPs that have been accessed.
### Defender For Endpoint
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName
```
### Sentinel
```
let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName
```
## Optional: Step 5 SMB File Copies
This section is optional, since it only helps if you suspect that the actor has performed file copies. This query will list all file copies that have been performed by the accounts that have been collected in this Threat Hunting case.
### Defender For Endpoint
```
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend
SMBFileCopyCount = parse_json(AdditionalFields).Count,
FilePath = parse_json(AdditionalFields).FilePath,
FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
Timestamp,
ActionType,
SourceDeviceName,
DestinationDeviceName,
FilePath,
FileName,
SMBFileCopyCount
```
### Sentinel
```
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend
SMBFileCopyCount = parse_json(AdditionalFields).Count,
FilePath = parse_json(AdditionalFields).FilePath,
FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
TimeGenerated,
ActionType,
SourceDeviceName,
DestinationDeviceName,
FilePath,
FileName,
SMBFileCopyCount
```
## Found Something Interesting?
If you found malicious activities take a look at the [DFIR Queries](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/DFIR) they can help by the investigation of an incident.
Explanation
The query is designed to identify suspicious SMB (Server Message Block) activities within a network. It consists of several steps:
Step 1: List the devices with the most SMB sessions
- This step identifies the devices that have the highest number of unique SMB connections.
Step 2: Investigate what files created the SMB sessions
- This step focuses on specific files that are known to set up benign SMB sessions or map shares. It counts the unique SMB sessions generated by each file.
Step 3: Investigate suspicious files
- Based on the output of step 2, this step investigates the connections made using the suspicious files and the processes that generated those activities.
Step 4: Investigate the devices
- This step examines all connections made by the devices that have created suspicious connections. It provides a list of the unique IP addresses accessed by those devices.
Optional Step 5: SMB file copies
- This optional step lists all file copies performed by the accounts collected in the previous steps. It helps if there is suspicion of file copying by the attacker.
If any malicious activities are found, the query suggests referring to DFIR (Digital Forensics and Incident Response) queries for further investigation.
Details
Bert-Jan Pals
Released: April 14, 2023
Tables
The queries use the following table:
- DeviceNetworkEvents
- IdentityDirectoryEvents
Keywords
Keywords:Suspicious,SMBSessions,Devices,Intune,User,ThreatHunting,DefenderForEndpoint,DefenderForIdentity,Step1,List,SMBConnections,DomainControllers,Step2,Investigate,Files,SMBSessions,Step3,Investigate,SuspiciousFiles,SMBSessions,FileName,Step4,Investigate,Devices,Step5,SMBFileCopies,Optional.
Operators
Operators and functions used in the queries:
- let
- TimeFrame
- AllDomainControllers
- DeviceNetworkEvents
- where
- LocalPort
- LocalIPType
- summarize
- make_set
- DeviceId
- Timestamp
- ago
- RemotePort
- not
- TotalRemoteConnections
- dcount
- DeviceName
- sort by
- InitiatingProcessFileName
- InitiatingProcessFolderPath
- CommandsExecuted
- InitiatingProcessCommandLine
- InitiatingProcessAccountDomain
- InitiatingProcessAccountName
- FileNames
- in~
- DeviceName
- ActionType
- IPsAccessed
- TotalIPs
- SuspiciousDevices
- RemoteIP
- WhitelistedAccounts
- IdentityDirectoryEvents
- AccountName
- extend
- parse_json
- AdditionalFields
- project-rename
- SourceDeviceName
- project-reorder
- Timestamp
- DestinationDeviceName
- FilePath
- FileName
- SMBFileCopyCount