This note documents detection patterns related to SMB Beaconing within Windows environments.
Direct Indicators
| Log Source | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 3 | Network connection | Critical | SMB outbound (445/139). Identify lateral movement targets. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for SMB execution tools (PsExec, etc). |
| Sysmon | 22 | DNS query | Medium | Name resolution before SMB connection. |
| Security | 4624 | Logon success | Critical | Logon Type 3 = SMB network logon. Correlate source IP + account. |
| Security | 4625 | Logon failure | High | Failed SMB auth attempts (spray/brute). |
| Security | 4648 | Explicit credentials | High | Alternate creds usage (common in lateral movement). |
| Security | 4672 | Special privileges assigned | High | Admin-level logon via SMB. Strong compromise signal. |
| Security | 5140 | Share accessed | Critical | SMB session established to a share. |
| Security | 5145 | Detailed share access | Critical | File-level access (read/write/delete). Shows exact target file. |
| Security | 5142 | Share created | High | Rogue share creation. |
| Security | 5144 | Share deleted | Medium | Share cleanup / anti-forensics. |
| Security | 4776 | NTLM authentication | High | NTLM auth to local system (often tied to SMB auth). |
| Security | 4768 | Kerberos TGT request | Medium | Initial auth before SMB (Kerberos environments). |
| Security | 4769 | Kerberos service ticket | High | TGS request for CIFS (SMB service). Key lateral movement signal. |
| SMBServer Operational | 3000 | SMB session established | High | Confirms inbound SMB session on server. |
| SMBServer Operational | 3001 | SMB session disconnected | Medium | Session lifecycle tracking. |
| SMBServer Operational | 3100 | Tree connect (share access) | High | Maps client → share name. |
| SMBServer Security | 1006 | SMB authentication attempt | High | Auth attempt against SMB server. Includes account + source. |
| SMBServer Security | 1007 | SMB authentication failure | High | Failed SMB auth (bad creds / attack). |
| SMBServer Security | 1020 | SMB session logon success | High | Successful SMB auth at server level (alt to 4624). |
| SMBClient Connectivity | 30803 | Connection to SMB server | High | Outbound SMB attempt from client. |
| SMBClient Connectivity | 30804 | Connection failure | High | Failed SMB connection (network/auth issues). |
| SMBClient Operational | 31017 | Session setup attempt | High | SMB authentication attempt from client side. |
| SMBClient Operational | 31018 | Session established | High | Successful SMB auth from client perspective. |
| System | 7045 | Service installed | Critical | PsExec-style service creation over SMB (svc.exe drop). |
| Sysmon | 11 | File created | Critical | File drop via SMB (payload staging). |
| Sysmon | 13 | Registry value set | High | Persistence after SMB execution. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Repeated SMB intervals | Periodic connections | Critical | Beacon hallmark. |
| Same remote host contacted repeatedly | Stable C2 relay | Critical | Strong pattern. |
| ADMIN$ / IPC$ touched repeatedly | High-risk admin channel | Critical | Strong malicious clue. |
| Non-admin process opens SMB | Browser/script/tool doing SMB | Critical | Rare anomaly. |
| Small repeated traffic bursts | Low-volume beacon | High | Classic stealth behavior. |
| DNS then SMB cadence | Consistent relay | High | Strong sequence |
Common Tools
| Tool | Usage |
|---|---|
| Cobalt Strike SMB beacon | Peer beaconing |
| PsExec-like tooling | SMB command channel |
| custom implants | Named SMB relay |
| Impacket | SMB execution chains |
Relevant Artifacts
- Sysmon Event IDs 3, 1, 22
- Security Event IDs 5140, 5145, 4688
- Ports:
- 445
- 139
- Share names:
- ADMIN$
- IPC$
- C$
- Process tree
- Network cadence timeline
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
MITRE ATT&CK References
- T1071.002 SMB/Windows Admin Shares
Decision Tree
-
Which process owns SMB traffic?
- service
- shell
- implant
-
Which target host?
- workstation
- server
- DC
-
Periodic cadence?
- fixed interval
- jitter
-
Which share?
- IPC$
- ADMIN$
- custom share
-
Expand:
- Parent process
- Credential context
- Lateral movement chain
-
Scope:
- Single peer
- Mesh beaconing
- Campaign spread
Example Detection Templates
KQL
Sysmon
| where EventID == 3
| where DestinationPort in (445,139)
| project TimeGenerated, Computer, Image, DestinationIp
SecurityEvent
| where EventID in (5140,5145)
| project TimeGenerated, Computer, ShareName, SubjectUserName
EQL
network where destination.port in (445,139)
sequence by host.name with maxspan=10m
[ network where destination.port == 445 ]
[ network where destination.port == 445 ]
Sigma
title: SMB Beaconing Detection
id: 8c3f2a15-smb-beacon
status: experimental
description: Detects suspicious repetitive SMB connections
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
DestinationPort:
- 445
- 139
condition: selection
fields:
- Image
- DestinationIp
falsepositives:
- Legitimate file access
level: high
tags:
- attack.command_and_control
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Monitor periodic SMB | Core beacon signal | Critical | Strong visibility |
| Watch non-admin SMB clients | Rare anomaly | Critical | High-value |
| Correlate 5140/5145 with cadence | Strong triage | Critical | High confidence |
| Restrict lateral SMB | Reduce abuse | High | Prevent relay |
| Baseline share usage | Lower false positives | High | Valuable context |