Query Details

Credential Access, NTLM stealing Over SMB

SBMNTLM

Query

DeviceNetworkEvents
| where ActionType == @"ConnectionSuccess"
| where (RemotePort==445 or RemotePort == 135)and RemoteIPType == @"Public" and InitiatingProcessVersionInfoCompanyName != @"VMware, Inc." and RemoteUrl !contains "google"

Explanation

This query looks for outgoing internet traffic that could indicate NTLM stealing over SMB. It filters for connections on ports 445 or 135 to public IP addresses, excludes connections from VMware, and excludes connections to Google.

Details

Ali Hussein profile picture

Ali Hussein

Released: February 20, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsActionTypeRemotePortRemoteIPTypeInitiatingProcessVersionInfoCompanyNameRemoteUrl

Operators

where==orand!=contains

Actions

GitHub