external_access_of_smb

Explanation

This security event is triggered by the Netography Fusion Portal when it detects non-customer network access to Windows Networking (Including DCE-RPC, Netbios, or SMB).

What to Look For

Generally, Windows Networking should not be exposed to the Internet and unauthorized external access can indicate a potential security threat. If a Windows server or workstation has been exposed, the host in question may have been compromised, or files may have been exfiltrated from file sharing services. Network administrators should consider implementing additional security protocols to limit access to these hosts, such as firewalls, or disabling SMB services altogether. This event may false positive if internal IP address ranges have not been defined properly in Netography Fusion.

Related MITRE ATT&CK Categories

Remote Services, Technique T1021 - Enterprise

Network Share Discovery, Technique T1135 - Enterprise

Network Service Discovery, Technique T1046 - Enterprise

Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise