Suspicious SMB Sessions
Query
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend
SMBFileCopyCount = parse_json(AdditionalFields).Count,
FilePath = parse_json(AdditionalFields).FilePath,
FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
TimeGenerated,
ActionType,
SourceDeviceName,
DestinationDeviceName,
FilePath,
FileName,
SMBFileCopyCountAbout this query
Explanation
This KQL query is designed to help identify suspicious SMB (Server Message Block) activities on a network, which can be indicative of malicious behavior such as lateral movement by attackers. Here's a simplified breakdown of the steps involved in the query:
Step 1: Identify Devices with Most SMB Sessions
- Objective: Find devices with the highest number of unique SMB connections.
- Method:
- Exclude domain controllers to reduce noise, as they typically generate many SMB connections.
- Count unique remote IPs connected to each device over a specified timeframe (default is 24 hours).
Step 2: Investigate Files Creating SMB Sessions
- Objective: Identify files responsible for initiating SMB sessions.
- Method:
- Exclude known benign processes (e.g., MDI Sensor, MDE Device Discovery).
- Count unique SMB sessions initiated by each file to detect potentially suspicious files.
Step 3: Investigate Suspicious Files
- Objective: Examine connections made by suspicious files identified in Step 2. - Method:
- Focus on specific files (e.g.,
nmap.exe,bloodhound.exe) that are known for network scanning or reconnaissance. - Gather details about commands executed by these files.
- Focus on specific files (e.g.,
Step 4: Investigate Devices with Suspicious Connections
- Objective: Analyze all connections made by devices identified as suspicious.
- Method:
- List unique IPs accessed by these devices and count the total number of accessed IPs.
Optional Step 5: Investigate SMB File Copies
- Objective: Detect unauthorized file copies over SMB.
- Method:
- Exclude whitelisted accounts.
- List file copy activities, including file paths and names, performed by non-whitelisted accounts.
Conclusion
- If suspicious or malicious activities are detected, further investigation can be conducted using additional Digital Forensics and Incident Response (DFIR) queries.
This query is useful for threat hunting and identifying potential security incidents involving SMB activities within a network.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
DeviceNetworkEvents
IdentityDirectoryEvents
Keywords
DeviceNetworkEventsIdentityDirectoryRemoteIPNameInitiatingProcessFileFolderPathAccountDomainActionTypeTimeGeneratedTimestampAdditionalFields
Operators
letwheresummarizemake_setagodcountsortdynamicinin~<>==has_anyparse_jsonproject-renameproject-reorder