SMB (Windows File Sharing) Activity from the Internet

Last updated 22 days ago on 2026-06-10
Created 22 days ago on 2026-06-10

About

This rule detects network events that may indicate inbound Windows file sharing (SMB or CIFS) traffic originating from the Internet. SMB should never be directly reachable from the Internet, as it is a primary target for exploitation by threat actors seeking initial access. Inbound SMB from a public IP is a direct precondition for attacks such as EternalBlue (MS17-010) and related SMB remote code execution vulnerabilities.
Tags
Tactic: Initial AccessDomain: NetworkUse Case: Threat DetectionData Source: CorelightData Source: PAN-OSData Source: Network TrafficData Source: pfSenseData Source: ZeekLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-corelight.*logs-network_traffic.*logs-panw.panos*logs-pfsense.log-*logs-zeek.*
Related Integrations

corelight(external, opens in a new tab or window)

network_traffic(external, opens in a new tab or window)

panw(external, opens in a new tab or window)

pfsense(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

Query
text code block:
(data_stream.dataset:(network_traffic.flow or zeek.smb_cmd or zeek.smb_files or zeek.smb_mapping or pfsense.log) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:(139 or 445) and destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not source.ip:( 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" )

Install detection rules in Elastic Security

Detect SMB (Windows File Sharing) Activity from the Internet in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).