{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/smb/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31478"}],"_cs_exploited":false,"_cs_products":["ksmbd"],"_cs_severities":["high"],"_cs_tags":["cve","ksmbd","smb","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31478 is a security vulnerability within Microsoft\u0026rsquo;s ksmbd, a kernel-based SMB server. The vulnerability arises from an error in the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function where a hardcoded value for \u003ccode\u003ehdr2_len\u003c/code\u003e is used instead of calculating it dynamically using \u003ccode\u003eoffsetof()\u003c/code\u003e. While specific exploitation details are not provided in the source, the incorrect buffer calculation could lead to memory corruption or other unexpected behavior, potentially allowing a remote attacker to cause a denial-of-service condition or, in a more severe scenario, execute arbitrary code on the affected system. The vulnerability was disclosed on 2026-04-23 as part of a Microsoft Security Update.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, the following attack chain is based on the potential exploitation of a memory corruption vulnerability resulting from an incorrect buffer length calculation.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMBv2 request specifically designed to trigger the flawed \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function is called to calculate the maximum output buffer length for the response to the malicious request, it uses an incorrect value for \u003ccode\u003ehdr2_len\u003c/code\u003e due to the hardcoded value.\u003c/li\u003e\n\u003cli\u003eThis incorrect calculation leads to the allocation of an undersized buffer.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write data exceeding the allocated buffer size into the undersized buffer.\u003c/li\u003e\n\u003cli\u003eThis buffer overflow corrupts adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eDepending on the corrupted data, the server may crash (denial-of-service), or the attacker may gain control of execution flow (remote code execution).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31478 can lead to a denial-of-service condition, disrupting file sharing services provided by the ksmbd server. In a more severe scenario, an attacker could achieve remote code execution, allowing them to gain control of the affected system. This could lead to data breaches, system compromise, and further propagation of malicious activity within the network. The impact will vary depending on the privileges of the ksmbd service account and the data stored on the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31478 on all systems running vulnerable versions of ksmbd (Microsoft Security Update Guide).\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to detect suspicious SMB activity, which could be indicative of exploitation attempts (Windows event logs).\u003c/li\u003e\n\u003cli\u003eDeploy network intrusion detection systems (IDS) to monitor SMB traffic for anomalous patterns associated with exploit attempts (Network traffic).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:33:28Z","date_published":"2026-04-23T07:33:28Z","id":"/briefs/2024-01-ksmbd-cve-2026-31478/","summary":"CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.","title":"CVE-2026-31478 Vulnerability in Microsoft ksmbd","url":"https://feed.craftedsignal.io/briefs/2024-01-ksmbd-cve-2026-31478/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","credential-access","windows","smb","ntlm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an internal system via phishing or other means (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a rogue UNC path into a document, email, or other medium.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate with the user\u0026rsquo;s NTLM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM hash from the authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to crack the NTLM hash to obtain the user\u0026rsquo;s password.\u003c/li\u003e\n\u003cli\u003eUsing the cracked password, the attacker gains unauthorized access to other systems and resources on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SMB Connection to External IP\u0026rdquo; to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-rare-smb-exfiltration/","summary":"This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.","title":"Detecting Rare SMB Connections for Potential NTLM Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-smb-exfiltration/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31611"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-31611","ksmbd","smb","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31611 is a newly disclosed security vulnerability affecting ksmbd, a kernel-based SMB server. The vulnerability stems from insufficient validation of sub-authorities within the ksmbd code, specifically requiring at least three sub-authorities before reading sub_auth[2]. While the exact exploitation details remain undisclosed in the initial advisory, the nature of the flaw suggests a potential for memory corruption or out-of-bounds read, which could be leveraged by attackers to achieve unauthorized access or potentially execute arbitrary code within the context of the ksmbd kernel module. This vulnerability poses a significant risk to systems utilizing ksmbd for file sharing, particularly if exposed to untrusted networks. The initial publication of the CVE was on 2026-04-26, but this brief serves as an early warning for detection engineers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the specific exploitation details of CVE-2026-31611 are not yet publicly available, the following attack chain is a hypothetical scenario based on the nature of the vulnerability:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target system running a vulnerable version of ksmbd.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB request specifically designed to trigger the sub-authority validation flaw.\u003c/li\u003e\n\u003cli\u003eThe SMB request is sent to the target system\u0026rsquo;s ksmbd service over port 445.\u003c/li\u003e\n\u003cli\u003eThe ksmbd service receives the malicious request and processes the sub-authority data.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient validation, the code attempts to read \u003ccode\u003esub_auth[2]\u003c/code\u003e without ensuring at least three sub-authorities are present.\u003c/li\u003e\n\u003cli\u003eThis leads to an out-of-bounds read, potentially leaking sensitive information or causing a crash.\u003c/li\u003e\n\u003cli\u003eAn attacker might be able to leverage this out-of-bounds read to overwrite memory, potentially leading to arbitrary code execution within the kernel.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation could grant the attacker elevated privileges on the system, enabling them to install malware, exfiltrate data, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31611 could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code within the kernel, and potentially compromise the entire system. The impact is particularly severe for systems acting as file servers, as they often hold critical data and are relied upon by multiple users. While the number of potential victims is currently unknown, any system running a vulnerable version of ksmbd is at risk. This could lead to data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for SMB requests that may be attempting to exploit the vulnerability, using a network intrusion detection system (NIDS) or firewall logs. Analyze SMB requests for unusual patterns or malformed sub-authority data (network_connection).\u003c/li\u003e\n\u003cli\u003eImplement detections for unusual process execution originating from the ksmbd process, as successful exploitation could lead to arbitrary code execution (process_creation).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts based on suspicious SMB activity (rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-cve-2026-31611-ksmbd/","summary":"CVE-2026-31611 is a vulnerability in ksmbd, requiring at least three sub-authorities before reading sub_auth[2], potentially leading to unauthorized access or code execution.","title":"CVE-2026-31611: ksmbd Sub-Authority Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31611-ksmbd/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31609"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["smb","double-free","cve-2026-31609","rce"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31609 is a double-free vulnerability affecting the SMB (Server Message Block) client. The vulnerability resides in the \u003ccode\u003esmbd_free_send_io()\u003c/code\u003e function, which is called after \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e. A double-free vulnerability occurs when memory is freed twice, potentially leading to corruption of the heap and potentially allowing an attacker to execute arbitrary code. The specifics of exploitation are not detailed in the initial advisory but successful exploitation could lead to a complete compromise of the affected system. This vulnerability demands immediate attention from security teams due to the potential for remote code execution and the widespread use of the SMB protocol in networked environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SMB request designed to trigger the \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e function within the SMB client.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esmbd_send_batch_flush()\u003c/code\u003e function executes, processing the crafted SMB request.\u003c/li\u003e\n\u003cli\u003eDue to a flaw in the logic, the same memory is passed twice to a \u003ccode\u003efree()\u003c/code\u003e call within \u003ccode\u003esmbd_free_send_io()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe first \u003ccode\u003efree()\u003c/code\u003e call deallocates the memory as intended.\u003c/li\u003e\n\u003cli\u003eThe second \u003ccode\u003efree()\u003c/code\u003e call attempts to deallocate the already freed memory, causing a double-free condition.\u003c/li\u003e\n\u003cli\u003eThis double-free corrupts the heap metadata, creating an opportunity for an attacker to manipulate memory allocation.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the heap corruption to overwrite critical data structures within the SMB client process.\u003c/li\u003e\n\u003cli\u003eBy overwriting function pointers or other sensitive data, the attacker gains control of the execution flow, leading to arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31609 could allow an attacker to execute arbitrary code on the affected system with the privileges of the SMB client. Given the widespread use of SMB for file sharing and network communication, this vulnerability could be leveraged to gain unauthorized access to sensitive data, install malware, or disrupt critical services. The impact could range from data breaches and ransomware attacks to complete system compromise and lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31609 as soon as possible.\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to monitor for suspicious SMB traffic and potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts by monitoring for unusual SMB client process behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-24-smb-double-free/","summary":"CVE-2026-31609 is a critical double-free vulnerability in the SMB client, specifically within the smbd_free_send_io() function after smbd_send_batch_flush(), potentially leading to arbitrary code execution.","title":"CVE-2026-31609 SMB Client Double-Free Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-24-smb-double-free/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31432"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ksmbd","smb","out-of-bounds write","cve-2026-31432"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31432 is a critical vulnerability affecting the ksmbd server, a Linux kernel implementation of the SMB/CIFS protocol. The vulnerability is an out-of-bounds write that occurs when processing QUERY_INFO requests within compound SMB requests. An attacker could exploit this vulnerability by sending a specially crafted SMB request to a vulnerable ksmbd server. Successful exploitation could lead to arbitrary code execution in the context of the kernel or a denial-of-service condition. As a kernel-level vulnerability, exploitation can have severe consequences for system stability and security. The vulnerability highlights the ongoing challenges of ensuring the security of complex network protocols implemented within the kernel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a ksmbd server exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB compound request containing a malformed QUERY_INFO request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SMB request to the targeted ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe ksmbd server processes the request, triggering the out-of-bounds write in the QUERY_INFO handling routine.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts adjacent kernel memory.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the system may crash, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker may carefully craft the payload to overwrite specific kernel structures, potentially leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eSuccessful code execution allows the attacker to gain complete control over the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31432 could lead to a complete compromise of the affected system. An attacker could gain the ability to execute arbitrary code within the kernel, leading to data theft, system corruption, or the installation of rootkits. In less severe cases, exploitation could result in a denial-of-service condition, disrupting critical services. Given the potential for remote code execution, this vulnerability poses a significant risk to any system running a vulnerable version of ksmbd.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31432 as soon as possible (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e to identify potentially malicious SMB traffic patterns (reference: rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB requests originating from unexpected sources or containing unusual parameters (reference: Attack Chain Step 2).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit (reference: Attack Chain Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-ksmbd-oob-write/","summary":"CVE-2026-31432 is a critical out-of-bounds write vulnerability in ksmbd, specifically within the QUERY_INFO functionality when handling compound requests, potentially leading to code execution or denial of service.","title":"ksmbd Out-of-Bounds Write Vulnerability in QUERY_INFO (CVE-2026-31432)","url":"https://feed.craftedsignal.io/briefs/2024-01-23-ksmbd-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31613"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-31613","smb","out-of-bounds read","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31613 is a security vulnerability affecting the SMB (Server Message Block) client. The vulnerability stems from an out-of-bounds read error that occurs during the parsing of symlink error responses. This can potentially allow a malicious SMB server to send crafted responses that, when processed by the client, lead to reading memory outside of allocated buffers. While the specific details of exploitation are not provided in the source, the nature of an out-of-bounds read can lead to information disclosure or a denial-of-service condition. Microsoft has released a security update to address this vulnerability. Defenders should apply the patch to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious SMB server is set up to serve crafted responses.\u003c/li\u003e\n\u003cli\u003eA client attempts to connect to the malicious SMB server via the SMB protocol.\u003c/li\u003e\n\u003cli\u003eThe server sends a crafted SMB response containing a symlink error.\u003c/li\u003e\n\u003cli\u003eThe client attempts to parse the symlink error response.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the client reads data beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read could result in information disclosure, where sensitive data is exposed, or cause a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disclosed information for further exploitation (if information disclosure occurs).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31613 could lead to information disclosure, potentially exposing sensitive data from the affected system\u0026rsquo;s memory. Alternatively, the vulnerability could be exploited to trigger a denial-of-service condition, disrupting the availability of the SMB client. The scope of impact depends on the specific data accessible via the out-of-bounds read and the system\u0026rsquo;s role within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31613 on all systems using the SMB client to prevent potential out-of-bounds reads.\u003c/li\u003e\n\u003cli\u003eEnable SMB logging to monitor for unusual SMB responses or error conditions that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-cve-2026-31613-smb-oob-read/","summary":"CVE-2026-31613 is an out-of-bounds read vulnerability in the SMB client when parsing symlink error responses, requiring patching to prevent potential information disclosure or denial-of-service.","title":"CVE-2026-31613 SMB Client Out-of-Bounds Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-31613-smb-oob-read/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule, originally published by Elastic, identifies potentially suspicious processes making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate SMB connections are generally established by the kernel (PID 4). This rule focuses on detecting processes that are not trusted (not signed by Microsoft) or living-off-the-land binaries (LOLBins) initiating SMB connections. It helps to detect port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a binary that is not signed by Microsoft and not a known LOLBin.\u003c/li\u003e\n\u003cli\u003eThis process attempts to establish a network connection to a remote host on port 445 (SMB).\u003c/li\u003e\n\u003cli\u003eThe attacker may use this connection to enumerate shares.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the remote SMB share.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker may copy malicious payloads to the remote share.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the copied payloads on the remote system, achieving lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to lateral movement within the network, allowing the attacker to compromise additional systems and gain further access to sensitive data. The scope of the impact depends on the permissions of the compromised account and the level of access granted to the attacker on the target systems. This could result in data exfiltration, system disruption, or ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Outbound SMB Connection by Untrusted Process\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the process execution chain and network connections.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement possibilities.\u003c/li\u003e\n\u003cli\u003eEnsure that systems are patched against known SMB vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes that are not signed by Microsoft.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging to monitor SMB traffic for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-smb-connections/","summary":"This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.","title":"Suspicious SMB Connections via LOLBin or Untrusted Process","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-smb-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","CISCO Talos"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","smb","file-transfer","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","Cisco"],"content_html":"\u003cp\u003eThis detection rule identifies the potential transfer of malicious tools within a Windows environment using SMB shares. Attackers commonly leverage SMB shares to propagate malware, tools, or scripts to compromised systems for lateral movement. The rule focuses on detecting the creation or modification of executable files (e.g., .exe, .dll, .ps1) on network shares, which is a strong indicator of malicious activity. The rule leverages Elastic Defend data to detect this activity and can be used to identify systems that may be compromised. This technique is used to deploy additional payloads, credential dumpers, or other malicious tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies accessible SMB shares within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to connect to a target SMB share (port 445) on another system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.\u003c/li\u003e\n\u003cli\u003eThe target system detects a new file creation or change event on the SMB share.\u003c/li\u003e\n\u003cli\u003eA user or process on the target system executes the transferred file.\u003c/li\u003e\n\u003cli\u003eThe executed file performs malicious actions on the target system, such as credential theft or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly compromised system to further expand their access within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file transfers.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lateral-tool-transfer-smb/","summary":"The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.","title":"Potential Lateral Tool Transfer via SMB Share","url":"https://feed.craftedsignal.io/briefs/2024-01-lateral-tool-transfer-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Secure Access Firewall"],"_cs_severities":["high"],"_cs_tags":["network","smb","lateral-movement","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker\u0026rsquo;s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to \u0026ldquo;Hidden Cobra Malware\u0026rdquo;, \u0026ldquo;DHS Report TA18-074A\u0026rdquo;, and \u0026ldquo;NOBELIUM Group\u0026rdquo;, suggesting possible connections to these threat actors or campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised through an initial access vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate network resources accessible from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages SMB to connect to external servers, typically on ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate or negotiate with the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit vulnerabilities in the SMB protocol or server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures or relays credential hashes transmitted over the SMB connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn\u0026rsquo;t specified, the detection\u0026rsquo;s relevance to known threat actors suggests potentially widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutbound SMB Traffic Detected\u003c/code\u003e to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference \u003ccode\u003edetect_outbound_smb_traffic_filter\u003c/code\u003e macro in the original search).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict internal hosts from directly accessing external SMB services.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eCategorize internal CIDR blocks as \u003ccode\u003einternal\u003c/code\u003e in your asset management system to reduce false positives (reference \u0026ldquo;known_false_positives\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eConsider blocking external communications of all SMB versions and related protocols at the network boundary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-outbound-smb/","summary":"This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.","title":"Outbound SMB Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/"}],"language":"en","title":"CraftedSignal Threat Feed — Smb","version":"https://jsonfeed.org/version/1.1"}