SMB attack on VM

Question

SMB attack on VM

Neil MacKenzie 0

The Windows event viewer is showing lots of SMB logon attempts even though the NSG for the VM is setup to block port 445. How is this happening?

Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-04T02:19:04.4433333+00:00

Hi Neil MacKenzie,

Could you please let me know, if it is a Windows server or Azure Windows Virtual Machine.
Neil MacKenzie 0 Reputation points

2025-08-04T02:27:35.47+00:00

Not a server, Azure VM running Windows 11
Andreas Baumgarten 125.2K Reputation points MVP Volunteer Moderator

2025-08-04T05:53:50.71+00:00

Hi @Neil MacKenzie ,

do you know which source IPs are responsible for the SMB logon attempts (from external or Azure internal IPs)?

Do you have a dedicated NSG rule blocking inbound SMB? If so how this rule is configured?

I am asking because by default "AllowVnetOutBound" NSG rule with priority 65000 allows all inbound communication if source and target is "VirtualNetwork" (Azure internal networks).

By default all inbound communication from internet is blocked by the NSG rule "AllowInternetOutBound / priority 65001" .

I've never seen the default NSG rules failing.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Neil MacKenzie 0 Reputation points

2025-08-04T22:46:35.33+00:00

All the ip's are external (Russia, UK.. ). Here is the NSG
Neil MacKenzie 0 Reputation points

2025-08-04T22:47:42.88+00:00

Even Allow-SMB-In-Subnet is setup to deny, for testing
Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-06T01:22:54.16+00:00

Hi Neil MacKenzie,

Did you get a chance to see the response provided by Andreas Baumgarten. If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-11T07:18:33.2566667+00:00

Hi Neil MacKenzie,

Could you please post the same information provided in private chat and also let me know if the RDP login attempts issue is resolved or not.

Thank you.

1 answer

Your answer

Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-04T02:19:04.4433333+00:00

Hi Neil MacKenzie,

Could you please let me know, if it is a Windows server or Azure Windows Virtual Machine.
Neil MacKenzie 0 Reputation points

2025-08-04T02:27:35.47+00:00

Not a server, Azure VM running Windows 11
Andreas Baumgarten 125.2K Reputation points MVP Volunteer Moderator

2025-08-04T05:53:50.71+00:00

Hi @Neil MacKenzie ,

do you know which source IPs are responsible for the SMB logon attempts (from external or Azure internal IPs)?

Do you have a dedicated NSG rule blocking inbound SMB? If so how this rule is configured?

I am asking because by default "AllowVnetOutBound" NSG rule with priority 65000 allows all inbound communication if source and target is "VirtualNetwork" (Azure internal networks).

By default all inbound communication from internet is blocked by the NSG rule "AllowInternetOutBound / priority 65001" .

I've never seen the default NSG rules failing.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten
Neil MacKenzie 0 Reputation points

2025-08-04T22:46:35.33+00:00

All the ip's are external (Russia, UK.. ). Here is the NSG
Neil MacKenzie 0 Reputation points

2025-08-04T22:47:42.88+00:00

Even Allow-SMB-In-Subnet is setup to deny, for testing
Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-06T01:22:54.16+00:00

Hi Neil MacKenzie,

Did you get a chance to see the response provided by Andreas Baumgarten. If you have any further queries, let me know. If the information is helpful, please click on Upvote.
Anusree Nashetty 5,735 Reputation points Microsoft External Staff Moderator

2025-08-11T07:18:33.2566667+00:00

Hi Neil MacKenzie,

Could you please post the same information provided in private chat and also let me know if the RDP login attempts issue is resolved or not.

Thank you.

Answer 1

Andreas Baumgarten 125.2K MVP Volunteer Moderator

Hi @Neil MacKenzie ,

please take a look here: Preventing SMB traffic from lateral connections and entering or leaving the network

The recommendation is:

Block inbound and outbound TCP 445
Block inbound and outbound UDP137
Block inbound and outbound UDP 138
Block inbound and outbound TCP 139

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten

Share via

SMB attack on VM

1 answer

Your answer