Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

Hunt For Suspicious SMB Sessions

Wayne Andes 28 min read

SMB can be used in various ways by attackers, such as accessing remote shares, transfering files, interacting with systems using RPC calls and remote code execution. Actors are known to use SMB to perform reconnaissance on open systems in order to perform lateral movement. The goal of this Threat Hunting case is to find suspicious SMB activities within the network. Defender For Endpoint logging will be used to hunt for the activities (and optionally Defender For Identity).

Step 1: List the devices that have the most SMB Sessions

The first step is to get intsight in the devices that have the most unique SMB connections. There is a filter on Domain Controllers, because they normaly generate a lot of noise (via MDI), the filter can be removed if you want to include your Domain Controllers.

Microsoft Defender For Endpoint
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where Timestamp  > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // THis is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections

Microsoft Sentinel
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let AllDomainControllers =
     DeviceNetworkEvents
     | where LocalPort == 88
     | where LocalIPType == "FourToSixMapping"
     | summarize make_set(DeviceId);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
| summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
| sort by TotalRemoteConnections

Step 2: Investigate what Files created the SMB Sessions

In Windows some files are known to set up benign SMB sessions or to map shares. FileNames as NMap or Bloodhound can be detected via this detection rule. This is done by counting the unique SMB sessions that have been generated by each file.

Microsoft Defender For Endpoint
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

Microsoft Sentinel
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName <> "Microsoft.Tri.Sensor.exe" // MDI Sensor
| where InitiatingProcessFileName <> "sensendr.exe" // MDE Device Discovery
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessFolderPath

Step 3: Investigate suspicious files

Based on the output of step 2, the files that seem suspicious can be added to the list in the query. We will then investigate what connections are made using those files and what processes generated those activities. As example nmap and bloodhound have been added, the FileNames list is not limited to .exe files, any filetype can be added.

SMB Sessions by FileName
Microsoft Defender For Endpoint
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Microsoft Sentinel
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let FileNames = dynamic(['nmap.exe', 'bloodhound.exe']); // Add your own findings in the list, these are examples
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where InitiatingProcessFileName in~ (FileNames)
| summarize CommandsExecuted = make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName

Step 4: Investigate the Devices

This step investigates all connections made by the devices that have created suspicious connections. Those devices can be collected based on the previous steps. The end result will be a list with all the unique IPs that have been accessed.

Microsoft Defender For Endpoint
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort == 445
| where ActionType  == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName

Microsoft Sentinel
Kusto
let TimeFrame = 24h; //Customizable h = hours, d = days
let SuspiciousDevices = dynamic(['server1.com', 'laptop1.com']);
DeviceNetworkEvents
| where TimeGenerated > ago(TimeFrame)
| where RemotePort == 445
| where ActionType == "ConnectionSuccess"
| where DeviceName in~ (SuspiciousDevices)
| summarize IPsAccessed = make_set(RemoteIP), TotalIPs = dcount(RemoteIP) by DeviceName

Step 5 (Optional): SMB File Copies

This section is optional, since it only helps if you suspect that the actor has performed file copies. This query will list all file copies that have been performed by the accounts that have been collected in this Threat Hunting case.

Microsoft Defender For Endpoint
Kusto
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     Timestamp,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

Microsoft Sentinel
Kusto
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     TimeGenerated,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

You May Also Like

Detect Scattered Spider Defense Evasion via Conditional Access Policies

Wayne Andes

List Triggered Safe Links Email URL Block

Wayne Andes

List QR Code URLs in Delivered Inbound Email Messages Detected By by Microsoft Defender XDR

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *