Hunting Rogue Endpoints Via SMB Detection
Query
// Hunting Rogue Endpoints via SMB Detection
// In recent ransomware attacks, many adversaries leverage the SMB service to initiate attacks and conduct lateral movement. Therefore, a simple and effective control measure is to block SMB traffic between clients using Windows Firewall. If you have a firewall policy in place and are using Microsoft Defender for Endpoint (MDE), running the following Kusto Query Language (KQL) script will help you identify potential rogue endpoints plugged into your network that are attempting to attack other endpoints or an endpoint EDR that has been disabled by ransomware and is launching attacks within your network environment.
//Additionally, I’ve included the latest blog post from Seqrite, "Exposed SMB: The Hidden Risk Behind ‘WannaCry’ Ransomware Attacks," in the comments section. This post will help you understand the ransomware attack methodology and demonstrate how my KQL script can serve as an early warning detection mechanism.
// https://www.seqrite.com/blog/wanttocry-ransomware-smb-vulnerability/
DeviceEvents
| where ActionType == @"FirewallInboundConnectionBlocked"
| where LocalPort == "445"
| summarize TargetDevice=dcount(DeviceName) by RemoteIP
| where TargetDevice > 3Explanation
This KQL query is designed to help identify potentially rogue endpoints on a network by monitoring blocked inbound SMB connections. Here's a simple breakdown of what the query does:
-
Data Source: It looks at
DeviceEvents, which likely contains logs of various device activities. -
Filter Criteria:
- It filters events where the action type is
FirewallInboundConnectionBlocked, indicating that an inbound connection attempt was blocked by the firewall. - It further narrows down to connections targeting port
445, which is commonly used for SMB (Server Message Block) protocol.
- It filters events where the action type is
-
Analysis:
- It counts the number of unique devices (
TargetDevice) that have been targeted by blocked connections from each remote IP address (RemoteIP).
- It counts the number of unique devices (
-
Alert Condition:
- It identifies remote IPs that have attempted to connect to more than three different devices, suggesting potentially suspicious behavior.
The purpose of this query is to detect unusual SMB traffic patterns that could indicate rogue devices or compromised endpoints attempting lateral movement within the network, which is a common tactic in ransomware attacks.
Details

Steven Lim
Released: February 1, 2025
Tables
DeviceEvents
Keywords
DeviceEvents
Operators
wheresummarizeby