Process or script enumerates network shares via CLI (net view/net share, PowerShell Get-SmbShare/WMI) or OS APIs (NetShareEnum/ srvsvc.NetShareEnumAll RPC) → bursts of outbound SMB/RPC connections (445/139, \host\IPC$ / srvsvc) to many hosts inside a short window → optional follow-on file listing or copy operations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Named Pipe Metadata (DC0048) | WinEventLog:Sysmon | EventCode=17 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4103 |
| OS API Execution (DC0021) | etw:Microsoft-Windows-RPC | rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes |
| Field | Description |
|---|---|
| BurstHostThreshold | Minimum number of unique destination hosts over SMB within TimeWindow to treat as scanning (e.g., ≥5). |
| TimeWindow | Correlation window between the discovery process start and SMB fan-out (default 10m). |
| AllowedDiscoveryAccounts | Service/admin accounts legitimately running inventory scripts. |
| PipeNameAllowList | Pipes (e.g., \PIPE\spoolss) normally accessed by management agents; exclude from alerts. |
CLI tools (smbclient -L, smbmap, rpcclient, nmblookup) or custom scripts enumerate SMB shares on many internal hosts → corresponding SMB connections (445/139) captured by Zeek/Netflow within a short window.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb |
| Network Connection Creation (DC0082) | NSM:Flow | connection: TCP connections to ports 139/445 to multiple hosts |
| OS API Execution (DC0021) | NSM:Flow | smb_command: TreeConnectAndX to \\*\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares |
| Field | Description |
|---|---|
| BurstHostThreshold | Minimum unique hosts to flag (e.g., ≥5). |
| TimeWindow | Correlation window between tool exec and SMB fan-out (default 10m). |
| ApprovedInventoryHosts | IPs of vulnerability scanners or config mgmt systems. |
Use of native/mac tools (sharing -l, smbutil view, mount_smbfs) or scripts to enumerate SMB shares across many hosts, followed by outbound SMB connections observed in PF/Zeek logs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of "sharing -l", "smbutil view", "mount_smbfs" |
| Command Execution (DC0064) | macos:unifiedlog | Command line contains smbutil view //, mount_smbfs // |
| Network Traffic Flow (DC0078) | NSM:Firewall | Outbound connections to 139/445 to multiple destinations |
| Network Connection Creation (DC0082) | NSM:Flow | connection: SMB connections to multiple internal hosts |
| Field | Description |
|---|---|
| BurstHostThreshold | Minimum unique SMB destinations (e.g., ≥3–5 in smaller mac fleets). |
| TimeWindow | Correlation window between exec and SMB connections (default 10m). |
| AllowedMgmtTools | Jamf/IT scripts legitimately running smbutil/mount_smbfs. |