Skip to content
Threat Feed
medium advisory

Suspicious SMB Connections via LOLBin or Untrusted Process

This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.

This detection rule, originally published by Elastic, identifies potentially suspicious processes making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate SMB connections are generally established by the kernel (PID 4). This rule focuses on detecting processes that are not trusted (not signed by Microsoft) or living-off-the-land binaries (LOLBins) initiating SMB connections. It helps to detect port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections. The rule is designed for data generated by Elastic Defend.

Attack Chain

  1. An attacker gains initial access to a Windows host through various means.
  2. The attacker executes a binary that is not signed by Microsoft and not a known LOLBin.
  3. This process attempts to establish a network connection to a remote host on port 445 (SMB).
  4. The attacker may use this connection to enumerate shares.
  5. The attacker attempts to authenticate to the remote SMB share.
  6. Upon successful authentication, the attacker may copy malicious payloads to the remote share.
  7. The attacker executes the copied payloads on the remote system, achieving lateral movement.

Impact

A successful attack can lead to lateral movement within the network, allowing the attacker to compromise additional systems and gain further access to sensitive data. The scope of the impact depends on the permissions of the compromised account and the level of access granted to the attacker on the target systems. This could result in data exfiltration, system disruption, or ransomware deployment.

Recommendation

  • Deploy the Sigma rule Detect Outbound SMB Connection by Untrusted Process to your SIEM and tune for your environment.
  • Investigate any alerts generated by this rule, focusing on the process execution chain and network connections.
  • Implement network segmentation to limit lateral movement possibilities.
  • Ensure that systems are patched against known SMB vulnerabilities.
  • Monitor process creation events for unusual processes that are not signed by Microsoft.
  • Enable network connection logging to monitor SMB traffic for suspicious activity.

Detection coverage 3

Detect Outbound SMB Connection by Untrusted Process

medium

Detects processes that are not signed by Microsoft and initiates an outbound SMB connection.

sigma tactics: lateral_movement techniques: T1021.002 sources: network_connection, windows

Detect Suspicious Process Start with Network Connection to SMB

medium

Detects a process start event followed by a network connection to SMB port 445 within a short timeframe, excluding Microsoft signed binaries.

sigma tactics: lateral_movement techniques: T1021.002 sources: process_creation, windows

Detect LOLBins Making SMB Connections

low

Detects Living Off The Land Binaries (LOLBins) making outbound SMB connections.

sigma tactics: lateral_movement techniques: T1021.002 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →