-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsmb.json
More file actions
487 lines (487 loc) · 19.2 KB
/
Copy pathsmb.json
File metadata and controls
487 lines (487 loc) · 19.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
{
"dataset": {
"name": "EID Quick Reference - SMB Client and Server",
"version": "1.4.0",
"generatedAt": "2026-04-12T00:00:00Z",
"id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/smb.json",
"schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
"license": {
"name": "Creative Commons Attribution 4.0 International",
"spdx": "CC-BY-4.0",
"notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
},
"sources": [
{
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/",
"type": "primary"
}
]
},
"entries": [
{
"id": 1009,
"log": "SMB",
"provider": "Microsoft-Windows-SMBServer",
"channel": "Microsoft-Windows-SMBServer/Operational",
"level": "Warning",
"title": "SMB server signing not required",
"summary": "The SMB server is configured to not require packet signing.",
"details": "Generated when the SMB server has SMB signing disabled or not required. Without signing, SMB packets in transit are not authenticated and can be modified by an adversary performing a machine-in-the-middle attack. This configuration enables SMB relay attacks, where NTLM credentials captured from one host are relayed to this server to authenticate without knowing the password. This event indicates a configuration posture that makes the environment vulnerable to relay attacks (T1557.001).",
"category": "SMB Security Configuration",
"tags": [
"smb",
"signing",
"relay",
"credential-access",
"lateral-movement"
],
"relatedEventIds": [
{
"id": 31010,
"log": "SMB"
},
{
"id": 8002,
"log": "NTLM"
}
],
"mitreAttack": [
{
"techniqueId": "T1557",
"techniqueName": "Adversary-in-the-Middle",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
},
{
"tacticId": "TA0009",
"tacticName": "Collection"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Verify current Group Policy for 'Microsoft network server: Digitally sign communications always'",
"Identify all endpoints with signing not required to scope the relay attack surface",
"Correlate with NTLM authentication events in the Security log to detect potential relay activity"
],
"commonFalsePositives": [
"Legacy environments where older SMB clients cannot support signing",
"Misconfigured baseline policy — common in environments that have not hardened SMB"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-10"
},
{
"id": 3000,
"log": "SMB",
"provider": "Microsoft-Windows-SMBServer",
"channel": "Microsoft-Windows-SMBServer/Operational",
"level": "Warning",
"title": "SMB1 protocol negotiated",
"summary": "A client negotiated the legacy SMB1 protocol with this server.",
"details": "Generated when a client connects to this server using the legacy SMBv1 protocol. SMB1 lacks the security features of SMB2/3 (encryption, pre-authentication integrity, secure negotiation) and is the protocol exploited by EternalBlue (MS17-010) and related NSA tool derivatives (WannaCry, NotPetya). The presence of this event indicates either a legacy client in the environment or a forced protocol downgrade.",
"category": "SMB Protocol Downgrade",
"tags": [
"smb",
"smb1",
"legacy-protocol",
"eternalblue",
"lateral-movement"
],
"relatedEventIds": [
{
"id": 1009,
"log": "SMB"
},
{
"id": 5140,
"log": "Security"
},
{
"id": 8002,
"log": "NTLM"
}
],
"mitreAttack": [
{
"techniqueId": "T1210",
"techniqueName": "Exploitation of Remote Services",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Identify the client IP to determine which endpoint is using or forcing SMB1",
"Check whether SMB1 is intentionally enabled on the server via Set-SmbServerConfiguration",
"Correlate with Security log EID 5140 (network share access) to see what shares were accessed over SMB1"
],
"commonFalsePositives": [
"Legacy devices such as older NAS appliances, printers, or scanners that only support SMB1",
"Older Windows versions (Windows XP, Server 2003) still present in the environment"
]
},
"keyFields": [
{
"name": "ClientIpAddress",
"xpath": "EventData/Data[@Name='ClientIpAddress']",
"description": "IP address of the client that negotiated SMB1"
}
],
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"detectionRules": [
{
"platform": "KQL",
"title": "SMB1 Protocol Negotiation Detected",
"rule": "Event\n| where Source == \"Microsoft-Windows-SMBServer\"\n| where EventID == 3000\n| parse EventData with * '<Data Name=\"ClientIpAddress\">' ClientIpAddress '</Data>' *\n| project TimeGenerated, Computer, ClientIpAddress\n| order by TimeGenerated desc",
"notes": "Any SMB1 usage should be investigated unless legacy devices are known and documented. EternalBlue exploits via SMB1 are still active threats."
},
{
"platform": "Sigma",
"title": "SMB1 Protocol Used",
"rule": "title: SMB1 Protocol Negotiated\nstatus: stable\nlogsource:\n product: windows\n service: smb\ndetection:\n selection:\n EventID: 3000\n condition: selection\nfalsepositives:\n - Legacy NAS/printer devices using SMB1\n - Old OS versions not yet upgraded\nlevel: medium"
}
],
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-10"
},
{
"id": 30803,
"log": "SMB",
"provider": "Microsoft-Windows-SMBClient",
"channel": "Microsoft-Windows-SMBClient/Operational",
"level": "Warning",
"title": "SMB client failed to connect to server",
"summary": "The SMB client could not establish a session with a remote server.",
"details": "Generated on the client when an SMB connection attempt to a remote server fails. This event is significant for lateral movement detection because adversaries attempting to access remote shares, deploy tools via admin shares (C$, ADMIN$, IPC$), or use SMB-based execution (e.g., PsExec, SCM) will generate failed connection events when targeting unavailable or hardened hosts. High volumes of this event from a single source targeting multiple destinations is a strong indicator of network reconnaissance or lateral movement attempts.",
"category": "SMB Connection Failure",
"tags": [
"smb",
"connection-failure",
"lateral-movement",
"reconnaissance"
],
"relatedEventIds": [
{
"id": 30804,
"log": "SMB"
},
{
"id": 31001,
"log": "SMB"
},
{
"id": 5140,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1021.002",
"techniqueName": "Remote Services: SMB/Windows Admin Shares",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"High counts of this event targeting different ServerName values from one host indicate a scanning or lateral movement pattern",
"Admin share targets (C$, ADMIN$, IPC$) are higher fidelity than general share names",
"Correlate with Security log EID 4625 (failed logon) on the destination host to confirm authentication attempts"
],
"commonFalsePositives": [
"Network drive mappings to temporarily unavailable servers",
"Application startup routines attempting to connect to expected shares before they are available",
"Group Policy processing during startup when a DC is temporarily unreachable"
]
},
"keyFields": [
{
"name": "ServerName",
"xpath": "EventData/Data[@Name='ServerName']",
"description": "Remote server the SMB client attempted to connect to"
},
{
"name": "ShareName",
"xpath": "EventData/Data[@Name='ShareName']",
"description": "Share name targeted in the connection attempt"
},
{
"name": "Status",
"xpath": "EventData/Data[@Name='Status']",
"description": "NTSTATUS error code indicating why the connection failed"
}
],
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-02"
},
{
"id": 30804,
"log": "SMB",
"provider": "Microsoft-Windows-SMBClient",
"channel": "Microsoft-Windows-SMBClient/Operational",
"level": "Warning",
"title": "SMB client lost connection to server",
"summary": "An established SMB session was unexpectedly terminated.",
"details": "Generated when an active SMB client connection to a remote server is lost unexpectedly. Unexpected disconnections during active operations can indicate network disruption, server-side session termination, or adversarial interference. In incident response contexts, sudden session drops following suspicious activity may indicate defensive action (firewall block, host isolation) or attacker-side cleanup.",
"category": "SMB Connection Failure",
"tags": [
"smb",
"disconnection",
"lateral-movement"
],
"relatedEventIds": [
{
"id": 30803,
"log": "SMB"
},
{
"id": 4634,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1021.002",
"techniqueName": "Remote Services: SMB/Windows Admin Shares",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Determine whether the disconnect follows a successful authentication and file access (use EID 5140 on the server)",
"Correlate with Security log EID 4634 or 4779 on the server to understand the session lifecycle",
"A pattern of connect → brief activity → disconnect across multiple hosts suggests tool staging"
],
"commonFalsePositives": [
"Network instability or brief server unavailability",
"Server-side session timeouts for idle connections",
"Load balancer or failover events disconnecting sessions"
]
},
"keyFields": [
{
"name": "ServerName",
"xpath": "EventData/Data[@Name='ServerName']",
"description": "Remote server the connection was lost to"
},
{
"name": "Status",
"xpath": "EventData/Data[@Name='Status']",
"description": "Status code indicating the reason for the disconnection"
}
],
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"volumeIndicator": "high",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-02"
},
{
"id": 31001,
"log": "SMB",
"provider": "Microsoft-Windows-SMBClient",
"channel": "Microsoft-Windows-SMBClient/Operational",
"level": "Warning",
"title": "SMB client authentication failure",
"summary": "The SMB client failed to authenticate to a remote server.",
"details": "Generated when the SMB client fails to authenticate to a remote SMB server. Authentication failures in SMB context are significant for detecting pass-the-hash (T1550.002) attempts, credential spraying, and brute-force attacks against SMB shares. Multiple failures to the same server with different usernames indicate a spray attack; repeated failures with the same username suggest a targeted brute-force or failed PTH attempt.",
"category": "SMB Authentication Failure",
"tags": [
"smb",
"authentication-failure",
"credential-access",
"lateral-movement",
"pass-the-hash"
],
"relatedEventIds": [
{
"id": 30803,
"log": "SMB"
},
{
"id": 4625,
"log": "Security"
}
],
"mitreAttack": [
{
"techniqueId": "T1550.002",
"techniqueName": "Use Alternate Authentication Material: Pass the Hash",
"tactics": [
{
"tacticId": "TA0008",
"tacticName": "Lateral Movement"
}
]
},
{
"techniqueId": "T1110",
"techniqueName": "Brute Force",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Multiple failures to different ServerName values from one source host indicate lateral movement scanning",
"STATUS_LOGON_FAILURE vs STATUS_ACCOUNT_LOCKED_OUT help differentiate failed attempts from lockout conditions",
"Correlate UserName with known privileged accounts — failures with admin accounts are highest priority",
"Compare with successful SMB authentications (EID 4624 on server) to identify eventual success after failures"
],
"commonFalsePositives": [
"Stale mapped drive credentials after a password change",
"Service accounts with cached old passwords",
"Backup software or monitoring tools using stored credentials that have expired"
]
},
"keyFields": [
{
"name": "ServerName",
"xpath": "EventData/Data[@Name='ServerName']",
"description": "Remote server the authentication was attempted against"
},
{
"name": "UserName",
"xpath": "EventData/Data[@Name='UserName']",
"description": "Account used in the failed authentication attempt"
},
{
"name": "Status",
"xpath": "EventData/Data[@Name='Status']",
"description": "NTSTATUS error code (e.g., STATUS_LOGON_FAILURE, STATUS_ACCOUNT_LOCKED_OUT)"
}
],
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"detectionRules": [
{
"platform": "KQL",
"title": "SMB Authentication Failures Targeting Multiple Servers",
"rule": "Event\n| where Source == \"Microsoft-Windows-SMBClient\"\n| where EventID == 31001\n| parse EventData with * '<Data Name=\"ServerName\">' ServerName '</Data>' *\n| parse EventData with * '<Data Name=\"UserName\">' UserName '</Data>' *\n| summarize FailCount = count(), DistinctServers = dcount(ServerName) by Computer, UserName, bin(TimeGenerated, 10m)\n| where DistinctServers >= 3\n| project TimeGenerated, Computer, UserName, FailCount, DistinctServers\n| order by DistinctServers desc",
"notes": "Multiple target servers is a stronger lateral movement signal than single-target failures. Correlate with EID 4625 on target hosts."
}
],
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-05"
},
{
"id": 31010,
"log": "SMB",
"provider": "Microsoft-Windows-SMBClient",
"channel": "Microsoft-Windows-SMBClient/Operational",
"level": "Warning",
"title": "SMB client found server does not support signing",
"summary": "The SMB client connected to a server that does not require or support SMB signing.",
"details": "Generated on the SMB client when it connects to a server that does not enforce SMB packet signing. This event identifies the client-side observation of an unsigned SMB session, complementing server-side EID 1009. Unsigned SMB sessions are vulnerable to relay attacks where an attacker positioned between client and server can modify packets or relay captured NTLM authentication. In an environment with SMB signing enforced via Group Policy, the presence of this event indicates a server that is not compliant with the signing policy.",
"category": "SMB Security Configuration",
"tags": [
"smb",
"signing",
"relay",
"credential-access"
],
"relatedEventIds": [
{
"id": 1009,
"log": "SMB"
},
{
"id": 31001,
"log": "SMB"
},
{
"id": 8002,
"log": "NTLM"
}
],
"mitreAttack": [
{
"techniqueId": "T1557",
"techniqueName": "Adversary-in-the-Middle",
"tactics": [
{
"tacticId": "TA0006",
"tacticName": "Credential Access"
},
{
"tacticId": "TA0009",
"tacticName": "Collection"
}
]
}
],
"notesGuidance": {
"investigationPivots": [
"Identify the ServerName to determine which server is not enforcing signing",
"Correlate with EID 1009 on the destination server to confirm its signing configuration",
"Check Group Policy for 'Microsoft network server: Digitally sign communications always' compliance"
],
"commonFalsePositives": [
"Third-party NAS devices or appliances that implement SMB but do not support signing",
"Non-Windows SMB servers (Samba) not configured to require signing"
]
},
"source": {
"name": "Microsoft Learn",
"url": "https://learn.microsoft.com/en-us/windows-server/storage/file-server/smb-security"
},
"volumeIndicator": "low",
"windowsVersions": {
"minVersion": "Windows Vista / Server 2008"
},
"lastReviewed": "2026-04-10"
}
]
}