This detection rule identifies rare internet network connections made via the SMB (Server Message Block) protocol, which is often exploited by adversaries to exfiltrate data and leak credentials through NTLM (NT LAN Manager) hash theft techniques. Specifically, the rule focuses on detecting unusual outbound SMB traffic from internal IP addresses to external networks, particularly over ports 139 and 445, while excluding known safe IP ranges. The rule uses data from various sources such as logs from Microsoft Defender, Sysmon, and other endpoint-related logs to monitor for these connections and is designed to flag connections initiated by the Windows System process (with PID 4). A risk score of 47 is assigned to these detections, categorized under a medium severity to indicate potential exfiltration attempts. An investigation guide is provided, detailing potential investigation steps, false positive analysis, and response recommendations for any detected anomalies. The intention is to bolster defenses against credential theft and data leakage by monitoring anomalous SMB behavior.