AN0514: Analytic 0514
CLI tools (smbclient -L, smbmap, rpcclient, nmblookup) or custom scripts enumerate SMB shares on many internal hosts → corresponding SMB connections (445/139) captured by Zeek/Netflow within a short window.
Analyst context for executives and security teams
This analytic is about spotting rapid SMB share enumeration from Linux systems, where tools or scripts query many internal hosts and generate SMB traffic on ports 445 or 139 in a short period. For security leaders, the value is not the tool names themselves; it is whether the organization can see internal reconnaissance before it turns into broader access, data staging, or incident escalation.
Executive priority
Prioritize this as an internal visibility and incident-readiness question: can the SOC prove it collects and reviews east-west SMB connection evidence at enough fidelity to identify unusual scanning or share enumeration? This matters for business continuity because SMB often exposes sensitive file shares and operational dependencies. It also supports audit and response evidence by showing whether internal reconnaissance would be visible in Zeek or NetFlow records rather than only at endpoints.
Technical view
The supplied ATT&CK analytic applies to Linux and focuses on SMB share enumeration activity using command-line tools such as smbclient -L, smbmap, rpcclient, nmblookup, or custom scripts. Detection validation should center on bursts of SMB connections from one Linux source to many internal destinations over ports 445 or 139 within a short window. Because no official detection logic is provided, teams should define local thresholds based on normal administrative activity, vulnerability scanning, backup behavior, and file service discovery patterns.
Likely telemetry
- Zeek SMB and connection logs showing source, destination, port, timing, and connection volume
- NetFlow or equivalent network flow records for TCP/445 and TCP/139 east-west traffic
- Linux endpoint process execution telemetry for SMB-related CLI tools where available
- Asset inventory identifying Linux systems, file servers, scanners, and administrative hosts
- Network segmentation context to distinguish expected SMB zones from unusual cross-segment enumeration
Detection direction
- Validate that Zeek, NetFlow, or equivalent network telemetry covers internal SMB traffic, not only perimeter traffic.
- Look for one Linux source contacting many internal hosts on TCP/445 or TCP/139 within a short time window.
- Tune thresholds against known vulnerability scanners, inventory tools, backup systems, file service monitoring, and administrator jump hosts to reduce false positives.
- Correlate network bursts with endpoint process evidence when available, especially execution of SMB enumeration utilities or unusual scripts.
- Treat lack of supplied ATT&CK tactics and relationships as a reason to keep the analytic behavior-focused rather than assuming a specific intrusion phase or actor objective.
Mitigation priorities
- Ensure internal SMB exposure is understood through asset inventory and network segmentation review.
- Restrict unnecessary SMB access between Linux hosts and internal file-sharing segments where business requirements do not justify it.
- Maintain least-privilege access to file shares and review share permissions that could increase reconnaissance value.
- Preserve Zeek, NetFlow, and endpoint logs long enough to support incident response timelines.
- Document approved scanning and administrative SMB enumeration so the SOC can distinguish expected activity from suspicious bursts.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. The most useful defensive decision is whether the organization can observe and contextualize high-volume internal SMB enumeration from Linux sources. The official object names example tools and the relevant network ports, but does not provide a formal detection query or thresholds.
No official detection logic, tactics, relationships, aliases, or additional context were supplied. Any threshold, severity, or response playbook must be validated against local network architecture, normal administration, sanctioned scanning, and available telemetry.
Analytic 0514
CLI tools (smbclient -L, smbmap, rpcclient, nmblookup) or custom scripts enumerate SMB shares on many internal hosts → corresponding SMB connections (445/139) captured by Zeek/Netflow within a short window.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | de08e8eda864… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0514Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.