IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Direct Outbound SMB Connection
editDirect Outbound SMB Connection
editIdentifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Rule query
editevent.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/
Rule version history
edit- Version 2 (7.7.0 release)
-
Updated query, changed from:
event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:("127.0.0.1" or "::1")