LoFP LoFP / connections from local or private ip addresses to smb shares without signing or encryption enabled for older systems or misconfigured environments. apply additional tuning as needed.

Techniques

Sample rules

Unsigned or Unencrypted SMB Connection to Share Established

Description

Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_local_ips:
- ClientAddress|cidr:
  - 127.0.0.0/8
  - 169.254.0.0/16
  - ::1/128
  - fe80::/10
  - fc00::/7
- ClientAddress|contains:
  - '00000000000000000000000000000001'
  - FE80000000000000
  - FC00000000000000
  - 0200????7F
  - 0200????A9FE
selection_shares:
  EventID: 4000
  ShareName|contains:
  - IPC$
  - ADMIN$
  - C$
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false'