Skip to content
Threat Feed
high advisory

Suspicious File Renamed via SMB

Detection of a suspicious file rename operation following an incoming SMB connection, potentially indicating a remote ransomware attack via the SMB protocol, targeting Windows hosts.

This detection rule identifies potential remote ransomware attacks targeting Windows systems via the SMB protocol. The rule focuses on detecting a sequence of events: an incoming SMB connection (port 445) followed by a series of suspicious file rename operations. These renames involve common document types (e.g., .jpg, .doc, .xlsx) being changed to files with high entropy extensions, a common characteristic of ransomware encryption. This activity, when observed in sequence, can indicate that a remote system is encrypting files on a target Windows host. The rule is designed to trigger on at least three rename operations occurring within a short timeframe (1 second) after the SMB connection is established. The rule is designed to use data from Elastic Defend.

Attack Chain

  1. An attacker gains initial access to a network and identifies a vulnerable Windows host with accessible SMB shares. (T1021.002)
  2. The attacker establishes an SMB connection to the target Windows host on port 445 from a remote system, initiating the file encryption process.
  3. The ransomware process on the remote attacker system begins iterating through accessible files on the target host via the SMB share.
  4. For each targeted file, the ransomware renames the original file (e.g., document.docx) to a new file with a high-entropy, randomized extension (e.g., document.xyz123).
  5. The ransomware process repeats this file renaming operation across multiple files and directories accessible via SMB.
  6. The renamed files become inaccessible to users, disrupting normal business operations.
  7. (Optional) The attacker may deploy ransom notes to the affected SMB shares to demand payment for decryption.
  8. The victim organization experiences data loss and operational disruption until the encrypted files can be recovered.

Impact

A successful ransomware attack via SMB can result in significant data loss, business disruption, and financial costs. The encryption of critical files can halt operations, requiring extensive recovery efforts. While the number of victims and sectors targeted are unspecified in the source, the consequences include potential data destruction (T1485), data encryption for impact (T1486), and inhibiting system recovery (T1490). This attack impacts any Windows system that exposes files via SMB shares.

Recommendation

  • Deploy the provided Sigma rule to your SIEM to detect suspicious file renames via SMB and tune it to your environment.
  • Enable Elastic Defend to collect the required event data for this detection.
  • Investigate any alerts generated by the Sigma rule by examining the SMB connection and file rename activity, focusing on the source IP, user ID, and file extensions.
  • Review the triage and analysis steps provided in the rule’s note section to properly investigate detected events.

Detection coverage 2

Detect Suspicious SMB Connection Followed by File Rename

high

Detects an SMB connection followed by a high-entropy file rename, potentially indicating ransomware activity. This rule detects a network connection to destination port 445 followed by file rename events.

sigma tactics: impact, lateral_movement techniques: T1021.002, T1486 sources: network_connection, windows

Detect High Entropy File Rename After SMB Connection

medium

Detects high entropy file rename operations after an SMB connection.

sigma tactics: impact techniques: T1486 sources: file_event, windows

Detection queries are available on the platform. Get full rules →