Initial Access (TA0001)(external, opens in a new tab or window)
corelight(external, opens in a new tab or window)
network_traffic(external, opens in a new tab or window)
panw(external, opens in a new tab or window)
text code block:(data_stream.dataset:(network_traffic.flow or zeek.smb_cmd or zeek.smb_files or zeek.smb_mapping or pfsense.log) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:(139 or 445) and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not source.ip:( 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" )
Install detection rules in Elastic Security
Detect SMB (Windows File Sharing) Activity from the Internet in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).