SMB response focuses on reducing unnecessary exposure, detecting share enumeration, enforcing signing where required, limiting administrative share access, and investigating lateral movement artifacts such as service creation, scheduled tasks, WMI execution, and suspicious file access.
Share enumeration events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} |
Select-Object -First 50 TimeCreated,Id,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5145} |
Select-Object -First 50 TimeCreated,Id,Message
SMB logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object {$_.Message -match "Logon Type:\\s+3"} |
Select-Object -First 50 TimeCreated,Id,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} |
Select-Object -First 50 TimeCreated,Id,Message
NTLM authentication
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4776} |
Select-Object -First 50 TimeCreated,Id,Message
Remote execution artifacts
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} |
Select-Object -First 50 TimeCreated,Id,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} |
Select-Object -First 50 TimeCreated,Id,Message
Get-ScheduledTask | Where-Object {$_.TaskPath -notmatch "\\Microsoft\\"}
SMB signing
Get-SmbServerConfiguration | Select-Object EnableSecuritySignature,RequireSecuritySignature
Get-SmbClientConfiguration | Select-Object EnableSecuritySignature,RequireSecuritySignature
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Review shares
Get-SmbShare
Get-SmbShareAccess -Name ShareName
Get-SmbSession
Get-SmbOpenFile
Hunt file-trigger coercion payloads
Get-ChildItem "\\ootw.local\SYSVOL" -Recurse -Include *.library-ms,*.searchConnector-ms,*.lnk,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
Select-Object FullName,Length,CreationTime,LastWriteTime
Get-ChildItem "\\dc01.ootw.local\IT" -Recurse -Include *.library-ms,*.searchConnector-ms,*.lnk,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
Select-Object FullName,Length,CreationTime,LastWriteTime
Find UNC references inside text-like triggers
Get-ChildItem "\\dc01.ootw.local\IT" -Recurse -Include *.library-ms,*.searchConnector-ms,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
Select-String -Pattern "\\\\[0-9A-Za-z_.-]+\\"
Hardening
- Require SMB signing where relay risk matters.
- Disable SMBv1.
- Disable Guest access.
- Restrict anonymous SAMR and null sessions.
- Limit workstation-to-workstation SMB.
- Block outbound SMB from workstations to untrusted networks.
- Review share ACLs and NTFS ACLs together.
- Keep sensitive scripts, passwords, keys, and backups out of broadly readable shares.
- Restrict write access to shared folders that many users browse.
- Hunt for
.library-ms,.searchConnector-ms,.lnk,.scf,.url,.svg, and.htmlfiles in writable shares. - Use tiered administration so workstation admins are not domain admins.
- Monitor 5140, 5145, 4624 type 3, 4625, 4776, 7045, 4697, and unusual 445 fan-out.