SMB credentials
Description
General
- Documentation: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/d416ff7c-c536-406e-a951-4f04b2fd1d2b
- Summary: Server Message Block (SMB), also known as CIFS (Common Internet File System), is a network protocol used to share files, printers and miscellaneous communications between nodes on a network. This detector aims at finding SMB credentials in the form of an URI connection string.
- IPs allowlist: This can be implemented on the server side.
- Scopes: A given user can have a restricted access to files or devices on the server.
Revoke the secret
A user credentials can be revoked or modified on the server side.
Check for suspicious activity
Logs are stored and can be inspected on the server side.
Details for Smb uri
-
Family: Other
-
Category: Data storage
-
High recall: True
-
Validity check available: False
-
Analyzer available: False
-
Minimum number of matches: 5
-
Occurrences found for one million commits: 0.007
-
Prefixed: True
-
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- smb://
Examples
- text: |
smb://bob:kjlrtq2017@124.112.5.13/share/path
connection_uri: smb://bob:kjlrtq2017@124.112.5.13/share
scheme: smb
database: share
host: 124.112.5.13
username: bob
password: kjlrtq2017
- text: |
smb://domain;bob:kjlrtq2017@124.112.5.13/share/path
connection_uri: smb://domain;bob:kjlrtq2017@124.112.5.13/share
scheme: smb
database: share
host: 124.112.5.13
username: domain;bob
password: kjlrtq2017
- text: |
smb://domain\bob:kjlrtq2017@124.112.5.13/share/path
connection_uri: smb://domain\bob:kjlrtq2017@124.112.5.13/share
scheme: smb
database: share
host: 124.112.5.13
username: domain\bob
password: kjlrtq2017
- text: |
smb://escaped_domain\\bob:kjlrtq2017@124.112.5.13/share/path
connection_uri: smb://escaped_domain\\bob:kjlrtq2017@124.112.5.13/share
scheme: smb
database: share
host: 124.112.5.13
username: escaped_domain\\bob
password: kjlrtq2017
