IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Direct Outbound SMB Connectionedit
Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 2 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.7.0
Rule queryedit
event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:(127.0.0.1 or "::1")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/
Rule version historyedit
- Version 2 (7.7.0 release)
-
Updated query, changed from:
event.action:"Network connection detected (rule: NetworkConnect)" and destination.port:445 and not process.pid:4 and not destination.ip:("127.0.0.1" or "::1")