Detect Unknown process using SMB or WinRM
Detect Unkown Process Using Smb And Winrm
Query
DeviceNetworkEvents
| where TimeGenerated > ago(1h)
| where RemotePort in ("5985", "5986", "445")
| where ActionType in~ ("ConnectionSuccess", "ConnectionAttempt",
"ConnectionFailed", "ConnectionRequest")
| where isnotempty(InitiatingProcessSHA256)
| invoke FileProfile(InitiatingProcessSHA256)
| where isnotempty(GlobalPrevalence) and GlobalPrevalence < 1000About this query
Explanation
This query is designed to detect potentially malicious activity on a network by identifying unknown processes that are using specific network protocols, namely SMB (Server Message Block) and WinRM (Windows Remote Management), which are often used for lateral movement by attackers.
Here's a simplified breakdown of what the query does:
-
Data Source: It looks at network events from devices, specifically focusing on events that have occurred in the last hour.
-
Target Ports: It filters the events to those involving network connections on ports 5985, 5986, and 445. These ports are associated with WinRM and SMB services.
-
Connection Types: It considers various types of connection actions, such as successful connections, attempts, failures, and requests.
-
Process Identification: It checks for the presence of a SHA256 hash for the initiating process, which helps identify the specific process making the connection.
-
File Profiling: It uses the
FileProfilefunction to gather additional information about the process based on its SHA256 hash. -
Prevalence Check: It filters out processes that are globally prevalent (i.e., commonly seen across many systems) by only considering those with a global prevalence of less than 1000. This helps focus on less common, potentially suspicious processes.
The goal of this query is to identify unusual processes that might be indicative of malware attempting to move laterally across the network using SMB or WinRM. It serves as a base detection rule, and further customization is recommended to reduce false positives from legitimate processes.
Details

Robbe Van den Daele
Released: January 12, 2026
Tables
Keywords
Operators