Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB

Response

SMB response focuses on reducing unnecessary exposure, detecting share enumeration, enforcing signing where required, limiting administrative share access, and investigating lateral movement artifacts such as service creation, scheduled tasks, WMI execution, and suspicious file access.

Share enumeration events

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} |
  Select-Object -First 50 TimeCreated,Id,Message

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5145} |
  Select-Object -First 50 TimeCreated,Id,Message

SMB logons

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
  Where-Object {$_.Message -match "Logon Type:\\s+3"} |
  Select-Object -First 50 TimeCreated,Id,Message

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} |
  Select-Object -First 50 TimeCreated,Id,Message

NTLM authentication

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4776} |
  Select-Object -First 50 TimeCreated,Id,Message

Remote execution artifacts

Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} |
  Select-Object -First 50 TimeCreated,Id,Message

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4697} |
  Select-Object -First 50 TimeCreated,Id,Message

Get-ScheduledTask | Where-Object {$_.TaskPath -notmatch "\\Microsoft\\"}

SMB signing

Get-SmbServerConfiguration | Select-Object EnableSecuritySignature,RequireSecuritySignature
Get-SmbClientConfiguration | Select-Object EnableSecuritySignature,RequireSecuritySignature
Set-SmbServerConfiguration -RequireSecuritySignature $true -Force
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force

Disable SMBv1

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

Review shares

Get-SmbShare
Get-SmbShareAccess -Name ShareName
Get-SmbSession
Get-SmbOpenFile

Hunt file-trigger coercion payloads

Get-ChildItem "\\ootw.local\SYSVOL" -Recurse -Include *.library-ms,*.searchConnector-ms,*.lnk,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
  Select-Object FullName,Length,CreationTime,LastWriteTime

Get-ChildItem "\\dc01.ootw.local\IT" -Recurse -Include *.library-ms,*.searchConnector-ms,*.lnk,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
  Select-Object FullName,Length,CreationTime,LastWriteTime

Find UNC references inside text-like triggers

Get-ChildItem "\\dc01.ootw.local\IT" -Recurse -Include *.library-ms,*.searchConnector-ms,*.scf,*.url,*.svg,*.html -ErrorAction SilentlyContinue |
  Select-String -Pattern "\\\\[0-9A-Za-z_.-]+\\"

Hardening

  • Require SMB signing where relay risk matters.
  • Disable SMBv1.
  • Disable Guest access.
  • Restrict anonymous SAMR and null sessions.
  • Limit workstation-to-workstation SMB.
  • Block outbound SMB from workstations to untrusted networks.
  • Review share ACLs and NTFS ACLs together.
  • Keep sensitive scripts, passwords, keys, and backups out of broadly readable shares.
  • Restrict write access to shared folders that many users browse.
  • Hunt for .library-ms, .searchConnector-ms, .lnk, .scf, .url, .svg, and .html files in writable shares.
  • Use tiered administration so workstation admins are not domain admins.
  • Monitor 5140, 5145, 4624 type 3, 4625, 4776, 7045, 4697, and unusual 445 fan-out.