Detection rules › Sigma
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares |
Event coverage
| Provider | Event | Title |
|---|---|---|
| SMBServer | Event ID 4000 | The SMB client connection to the share was established |
Rule body yaml
title: Unsigned or Unencrypted SMB Connection to Share Established
id: 8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12
status: experimental
description: |
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
author: Mohamed Abdelghani
date: 2025-10-19
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: smbserver-connectivity
detection:
selection_shares:
EventID: 4000
ShareName|contains:
- 'IPC$'
- 'ADMIN$'
- 'C$'
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false' # Note: typo in the original event field name
filter_main_local_ips:
- ClientAddress|cidr:
# IPv4
# - '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
# - '172.16.0.0/12'
# - '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
# The filters below cover the XML raw log
- ClientAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
# - '0200????C0A8' # 192.168.
# - '0200????AC' # 172.
# - '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.
level: medium
Stages and Predicates
Stage 0: condition
all of selection_* and not 1 of filter_main_*Stage 1: selection_shares
selection_shares:
EventID: 4000
ShareName|contains:
- 'IPC$'
- 'ADMIN$'
- 'C$'
Stage 2: selection_status
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false'
Stage 3: not filter_main_local_ips
filter_main_local_ips:
- ClientAddress|cidr:
- '127.0.0.0/8'
- '169.254.0.0/16'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- ClientAddress|contains:
- '00000000000000000000000000000001'
- 'FE80000000000000'
- 'FC00000000000000'
- '0200????7F'
- '0200????A9FE'
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
ClientAddress | cidr_match | 127.0.0.0/8 |
ClientAddress | cidr_match | 169.254.0.0/16 |
ClientAddress | cidr_match | ::1/128 |
ClientAddress | cidr_match | fc00::/7 |
ClientAddress | cidr_match | fe80::/10 |
ClientAddress | match | 00000000000000000000000000000001 |
ClientAddress | match | 0200????7F |
ClientAddress | match | 0200????A9FE |
ClientAddress | match | FC00000000000000 |
ClientAddress | match | FE80000000000000 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EncyptionUsed | eq |
|
ShareName | match |
|
SigningUsed | eq |
|