Processes accessing multiple IP addresses over port 445 may indicate adversary scanning for network shares, which is a common reconnaissance technique used to identify potential lateral movement or data exfiltration opportunities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of network discovery and potential compromise.
KQL Query
DeviceNetworkEvents
| where RemotePort == 445 and Timestamp > ago(7d)
// Exclude Kernel processes, as they are too noisy in this query
and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime
| where RemoteIPCount > 10
id: a3dc6ecb-d910-467b-844e-a3b87744c4c9
name: SMB shares discovery
description: |
Query for processes that accessed more than 10 IP addresses over port 445 (SMB) - possibly scanning for network shares.
To read more about Network Share Discovery, see: https://attack.mitre.org/wiki/Technique/T1135.
Tags: #SMB, #NetworkScanning, #UniqueProcessId.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
query: |
DeviceNetworkEvents
| where RemotePort == 445 and Timestamp > ago(7d)
// Exclude Kernel processes, as they are too noisy in this query
and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCreationTime
| where RemoteIPCount > 10
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System Backup Tool Scanning Network Shares
Description: A legitimate backup tool (e.g., Veeam, Acronis) may scan multiple SMB shares across the network during a scheduled backup job.
Filter/Exclusion: Exclude processes associated with known backup tools (e.g., veeam.exe, acronisbackup.exe) or filter by process names matching backup tool patterns.
Scenario: Scheduled System Inventory Scan
Description: An IT admin may run a scheduled task to inventory SMB shares across the network using tools like smbclient or net view.
Filter/Exclusion: Exclude processes initiated by scheduled tasks with known admin names (e.g., TaskScheduler or smbclient.exe) or filter by user account (e.g., admin or IT).
Scenario: Active Directory Replication via SMB
Description: Domain controllers may use SMB for replication between domain controllers, which can result in multiple IP address accesses.
Filter/Exclusion: Exclude processes related to Active Directory replication (e.g., ntdsutil.exe, dcdiag.exe) or filter by source and destination IP ranges used by domain controllers.
Scenario: Network Discovery via PowerShell or WMI
Description: Administrators may use PowerShell or WMI to discover SMB shares across the network for inventory or troubleshooting.
Filter/Exclusion: Exclude processes with PowerShell or WMI-related names (e.g., powershell.exe, wbemtest.exe) or filter by user context (e.g., Administrator).
Scenario: Antivirus or Endpoint Protection Scanning SMB Shares
Description: Antivirus tools may scan SMB shares for malware, which can result in accessing multiple IP addresses.
Filter/Exclusion: Exclude processes associated with antivirus vendors (e.g., `