Enumeration SMB without Signature 

This scenario is designed to simulate the discovery of SMB (Server Message Block) services on a target network that are operating without signing enabled. SMB signing is a security mechanism that helps protect against man-in-the-middle (MITM) attacks by ensuring the authenticity and integrity of SMB communications. When SMB signing is not enforced, an attacker can potentially intercept and manipulate SMB traffic, posing significant security risks.

The scenario emulates a typical reconnaissance activity that a threat actor might perform to identify vulnerable SMB servers that do not require cryptographic signatures for SMB sessions. These systems can be exploited further in post-exploitation phases for credential relaying, lateral movement, or data exfiltration.

The detection method used in this scenario involves sending specially crafted SMB negotiation requests to target machines. Based on the responses received—particularly the flags and capabilities advertised by the server—the scenario determines whether SMB signing is required or optional. The test is non-intrusive and does not attempt to authenticate or exploit the server but simply assesses its configuration from a network-level perspective.

Objective:

• Identify SMB servers on the network that do not enforce SMB signing.
• Evaluate the exposure and misconfiguration risks associated with unprotected SMB services.
• Help network defenders and blue teams detect this type of network scan in their logs and improve monitoring and detection rules (e.g., through SIEM or IDS).

Use Case:

• Security assessment and vulnerability management.
• Purple teaming and detection engineering.
• Enhancing visibility into insecure SMB configurations.
• Validating network segmentation and access controls.

Tactics & Techniques:

• Tactic: Discovery (MITRE ATT&CK: TA0007)
• Technique: Remote System Discovery - [T1018]
• Sub-technique: SMB/NetBIOS Enumeration (custom behavior emulation)

Impact:

This scenario does not exploit any vulnerability but may trigger alerts related to reconnaissance or lateral movement preparation. It is safe to use in production environments, though coordination with blue teams is recommended to avoid false positives or confusion during active security operations.

Detection Tips:

Security teams can monitor for SMB negotiation traffic where the SecurityMode flag does not enforce signing (0x00 or 0x01). Logs from Windows Event Viewer, network IDS like Zeek or Suricata, and packet captures can help detect this behavior. Correlating this activity with unusual SMB scans, enumeration attempts, or login failures can provide early warnings of possible intrusions.

Recommended Mitigations:

• Enforce SMB signing on all critical systems.
• Disable SMBv1 and limit SMBv2 where possible.
• Implement network segmentation to restrict SMB traffic.
• Monitor SMB negotiation logs and unusual SMB client behavior.