This note documents detection patterns related to SMB Enumeration within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | Medium | SMB authentication events preceding enumeration. Typically LogonType 3 (network). |
| Security | 5140 | A network share object was accessed | High | Indicates access to shared resources such as ADMIN$, C$, IPC$, SYSVOL. |
| Security | 5145 | A network share object was checked to see whether client can access it | Critical | Frequent checks against many shares often indicate enumeration activity. |
| Security | 4776 | NTLM authentication | Medium | NTLM authentication used during SMB enumeration. |
| Sysmon | 3 | Network connection | High | Connections to TCP ports 445 or 139. |
| Sysmon | 1 | Process creation | Medium | Execution of enumeration tools such as CrackMapExec or smbclient. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Multiple share access checks | Repeated 5145 events across many shares | Critical | Classic SMB enumeration pattern. |
| Enumeration of administrative shares | Access attempts to ADMIN$, C$, IPC$ | High | Often indicates reconnaissance or lateral movement preparation. |
| SMB connections across many hosts | Sequential connections to multiple machines | High | Automated scanning behavior. |
| Enumeration from user workstation | SMB scanning originating from non-admin host | High | Possible attacker reconnaissance. |
| Execution of SMB enumeration tools | Processes such as CrackMapExec or smbmap | Critical | Direct evidence of enumeration activity. |
Common Tools
| Tool | Usage |
|---|---|
| CrackMapExec | Enumerates SMB shares, users, and permissions across hosts. |
| smbclient | Lists and accesses SMB shares. |
| smbmap | Enumerates SMB share permissions. |
| Impacket smbclient.py | Enumerates SMB shares and credentials. |
| Nmap smb scripts | Performs automated SMB discovery. |
Relevant Artifacts
- Domain controller Security logs (4624, 5140, 5145)
- SMB access logs on target hosts
- Network traffic logs for SMB connections
- Sysmon logs (1, 3)
- EDR telemetry identifying enumeration tools
- Prefetch artifacts for CrackMapExec or smbclient
- Authentication logs preceding enumeration
- Network scanning telemetry
MITRE ATT&CK References
- T1135 Network Share Discovery
- T1018 Remote System Discovery
- T1087 Account Discovery
Decision Tree
- Is the suspicious event present?
- Identify SMB share enumeration events (5145).
- What host generated the event?
- Determine workstation performing SMB connections.
- Is the account expected to perform this action?
- Investigate whether account normally accesses many network shares.
- Pivot:
- Source host → inspect execution of CrackMapExec or smbclient.
- Network → analyze connections to multiple hosts.
- Authentication → review credential usage during enumeration.
- Confirm exploitation
- Determine whether attacker enumerated SMB shares to prepare for lateral movement.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5145
| summarize count() by IpAddress, ShareName, bin(TimeGenerated, 5m)
DeviceNetworkEvents
| where RemotePort in (445,139)
| summarize count() by InitiatingProcessAccountName, RemoteIP, bin(TimeGenerated,5m)
EQL
any where event.code == "5145"
Sigma
title: Suspicious SMB Share Enumeration
id: smb-enumeration-detection
status: experimental
description: Detects repeated SMB share access checks indicating possible enumeration
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
condition: selection
fields:
- SubjectUserName
- ShareName
falsepositives:
- Legitimate administrative scripts
level: medium
tags:
- attack.discovery
- attack.t1135
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Monitoring | Alert on repeated SMB share access attempts | High | Detects enumeration activity. |
| Network segmentation | Restrict SMB access between workstations | High | Reduces attack surface. |
| Least privilege | Limit access to administrative shares | High | Prevents unauthorized enumeration. |
| EDR monitoring | Detect CrackMapExec or smbmap execution | Critical | Direct detection of attacker tooling. |
| Threat hunting | Review SMB traffic patterns regularly | Medium | Identifies reconnaissance behavior. |