heroui logo

SMB (Windows File Sharing) Activity from the Internet

Elastic Detection Rules

View Source
Summary
Technical summary: This rule detects inbound TCP connections to SMB ports 139 and 445 (Windows File Sharing) from external sources targeting internal addresses, a high-risk perimeter exposure that is commonly leveraged for initial access and SMB-based exploitation (e.g., EternalBlue). It aggregates data from multiple sources (Elastic Network Traffic, Corelight SMB telemetry, PAN-OS logs, pfSense, and Zeek SMB events) and uses the new_terms approach to surface only the first external source per internal host, reducing repeat noise. The rule matches traffic where the destination is within internal networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the source IP is not in private/reserved ranges. It aligns with MITRE ATT&CK techniques External Remote Services (T1133) and Exploit Public-Facing Application (T1190) under the Initial Access tactic. Recommended actions include immediate perimeter containment for exposed SMB, correlation with endpoint telemetry for signs of exploitation, verification of legitimate need, and patching of SMB vulnerabilities (MS17-010 and related). Remediation guidance emphasizes blocking external SMB exposure, reviewing NAT/firewall configurations, and ensuring SMB is not directly Internet-facing; if exposure is necessary, apply process for exceptions with risk acceptance. The rule is particularly relevant for incident response and threat hunting focused on perimeter risk and lateral movement prevention.
Categories
  • Network
Data Sources
  • Network Traffic
  • Firewall
ATT&CK Techniques
  • T1133
  • T1190
Created: 2026-06-10