Direct Outbound SMB Connection
editDirect Outbound SMB Connection
editIdentifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Lateral Movement
Version: 5 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Rule query
editsequence by process.entity_id [process where event.type == "start" and process.pid != 4] [network where destination.port == 445 and process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1", "::1")]
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/
Rule version history
edit- Version 5 (7.10.0 release)
-
-
Updated query, changed from:
event.category:network and event.type:connection and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1")
-
- Version 4 (7.9.1 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
-
Updated query, changed from:
event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1")
-
- Version 2 (7.7.0 release)
-
-
Updated query, changed from:
event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:("127.0.0.1" or "::1")
-