Unsigned or Unencrypted SMB Connection to Share Established

Severity: medium
Author: Mohamed Abdelghani
Source: upstream

Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1021.002` Remote Services: SMB/Windows Admin Shares

Event coverage

Provider	Event ID	Title
SMBServer	4000

Stages and Predicates

Stage 1: `all of selection_shares`

or:
ShareName|contains: 'ADMIN$'
ShareName|contains: 'C$'
ShareName|contains: 'IPC$'

Stage 2: `all of selection_status`

or:
EncyptionUsed: false
SigningUsed: false

Stage 3: `not 1 of filter_main_local_ips`

or:
ClientAddress|cidr: '127.0.0.0/8'
ClientAddress|cidr: '169.254.0.0/16'
ClientAddress|cidr: '::1/128'
ClientAddress|cidr: 'fc00::/7'
ClientAddress|cidr: 'fe80::/10'
ClientAddress|contains: 00000000000000000000000000000001
ClientAddress|contains: '0200????7F'
ClientAddress|contains: '0200????A9FE'
ClientAddress|contains: FC00000000000000
ClientAddress|contains: FE80000000000000

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ClientAddress`	cidr_match	`127.0.0.0/8` corpus 4 (sigma 4) `169.254.0.0/16` corpus 4 (sigma 4) `::1/128` corpus 4 (sigma 4) `fc00::/7` corpus 4 (sigma 4) `fe80::/10` corpus 4 (sigma 4)
`ClientAddress`	match	`00000000000000000000000000000001` `0200????7F` `0200????A9FE` `FC00000000000000` `FE80000000000000`
`EncyptionUsed`	eq	`false`
`ShareName`	match	`ADMIN$` `C$` `IPC$`
`SigningUsed`	eq	`false`