Skip to content

Latest commit

 

History

History
168 lines (147 loc) · 7.07 KB

Suspicious SMB Sessions.md

File metadata and controls

168 lines (147 loc) · 7.07 KB

Suspicious SMB Sessions

SMB can be used in various ways by attackers, such as accessing remote shares, transfering files, interacting with systems using RPC calls and remote code execution. Actors are known to use SMB to perform reconnaissance on open systems in order to perform lateral movement. The goal of this Threat Hunting case is to find suspicious SMB activities within the network. Defender For Endpoint logging will be used to hunt for the activities (and optionally Defender For Identity).

Step 1: List the devices that have the most SMB Sessions

The first step is to get intsight in the devices that have the most unique SMB connections. There is a filter on Domain Controllers, because they normaly generate a lot of noise (via MDI), the filter can be removed if you want to include your Domain Controllers.

Defender For Endpoint

let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where Timestamp  > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // THis is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections

Step 2 Investigate what Files created the SMB Sessions

In Windows some files are known to set up benign SMB sessions or to map shares. FileNames as nmap or bloodhound can be detected via this detection rule. This is done by counting the unique SMB sessions that have been generated by each file.

Defender For Endpoint

let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

Step 3: Investigate suspicious files

Based on the output of step 2, the files that seem suspicious can be added to the list in the query. We will then investigate what connections are made using those files and what processes generated those activities. As example nmap and bloodhound have been added, the FileNames list is not limited to .exe files, any filetype can be added.

SMB Sessions by FileName

Defender For Endpoint

let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Step 4: Investigate the Devices

This step investigates all connections made by the devices that have created suspicious connections. Those devices can be collected based on the previous steps. The endresult will be a list with al the unique IPs that have been accessed.

Defender For Endpoint

let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where ActionType  == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName

Sentinel

let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName

Optional: Step 5 SMB File Copies

This section is optional, since it only helps if you suspect that the actor has performed file copies. This query will list all file copies that have been performed by the accounts that have been collected in this Threat Hunting case.

Defender For Endpoint

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     Timestamp,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

Sentinel

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     TimeGenerated,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

Found Something Interesting?

If you found malicious activities take a look at the DFIR Queries they can help by the investigation of an incident.