Anomalous amount of SMB sessions created (BloodHound)
Anomalous SMB Sessions Created
Query
let Threshold = 50; // Can be adjusted to reduce false positives
DeviceNetworkEvents
| where ingestion_time() > ago(1h)
| where RemotePort == 445
| summarize
TotalIpsAccessed = dcount(RemoteIP),
RemoteIPs = make_set(RemoteIP),
arg_max(Timestamp, *)
by DeviceName, bin(Timestamp, 15m)
| where TotalIpsAccessed >= Threshold
| project-reorder Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPathAbout this query
Anomalous amount of SMB sessions created (BloodHound)
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1018 | Remote System Discovery | https://attack.mitre.org/techniques/T1018 |
Description
This detection rule is aimed to detect a host that performs SMB Discovery by alerting if a device creates more then 50 unique SMB sessions within 15 minutes. That is one of the characteristics of bloodhound. The SMB sessions can be used to identify remote systems.
Risk
A actor has gotten access to a system en performs a scan to identify possible lateral movement paths.
Defender XDR
Sentinel
let Threshold = 50; // Can be adjusted to reduce false positives
DeviceNetworkEvents
| where ingestion_time() > ago(1h)
| where RemotePort == 445
| summarize
TotalIpsAccessed = dcount(RemoteIP),
RemoteIPs = make_set(RemoteIP),
arg_max(TimeGenerated, *)
by DeviceName, bin(TimeGenerated, 15m)
| where TotalIpsAccessed >= Threshold
| project-reorder TimeGenerated, DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath
Explanation
This query is designed to detect unusual activity on a network that might indicate a security threat. Specifically, it looks for devices that are creating a large number of SMB (Server Message Block) sessions in a short period of time, which could be a sign of a tool like BloodHound being used for network discovery.
Here's a simple breakdown of what the query does:
-
Threshold Setting: It sets a threshold of 50 unique SMB sessions within 15 minutes. This threshold can be adjusted to reduce false positives.
-
Data Source: The query looks at network events from devices, specifically those that have been ingested in the last hour.
-
Filter Criteria: It filters the events to only include those where the remote port is 445, which is used for SMB communication.
-
Aggregation: It counts the number of unique IP addresses accessed by each device within 15-minute intervals.
-
Alert Condition: If a device accesses 50 or more unique IPs within a 15-minute window, it is flagged as potentially suspicious.
-
Output: The query outputs details such as the timestamp, device name, command line of the initiating process, account name, and folder path of the initiating process for further investigation.
This query helps identify potential security threats by flagging devices that might be scanning the network for vulnerable systems, which is a common precursor to lateral movement within a network.
