Detectionmediumexperimental
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssmbserver-connectivity
ProductWindows← raw: windows
Servicesmbserver-connectivity← raw: smbserver-connectivity
Detection Logic
Detection Logic3 selectors
detection:
selection_shares:
EventID: 4000
ShareName|contains:
- 'IPC$'
- 'ADMIN$'
- 'C$'
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false' # Note: typo in the original event field name
filter_main_local_ips:
- ClientAddress|cidr:
# IPv4
# - '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
# - '172.16.0.0/12'
# - '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
# The filters below cover the XML raw log
- ClientAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
# - '0200????C0A8' # 192.168.
# - '0200????AC' # 172.
# - '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: all of selection_* and not 1 of filter_main_*False Positives
Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12
Status
experimental
Level
medium
Type
Detection
Created
Sun Oct 19
Author
Path
rules/windows/builtin/smbserver/connectivity/win_smbserver_connectivity_unsigned_and_unencrypted_share_connection.yml
Raw Tags
attack.lateral-movementattack.t1021.002