File Writes Within Admin Shares (RedCanary Threat Detection Report)
Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: File Writes Within Admin Shares (RedCanary Threat Detection Report)
2id: 7d5c80c9-c2a0-4eeb-9988-3d1ac170ffc0
3status: experimental
4description: Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/windows-admin-shares/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.lateral_movement
11 - attack.t1021.002
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 TargetFilename|endswith:
18 - '.exe'
19 - '.dll'
20 - '.bat'
21 TargetFilename|contains:
22 - 'ADMIN$'
23 - 'IPC$'
24 - 'C$'
25 condition: selection
26falsepositives:
27 - Depends; may require baselining and exclusions for legitimate use.
28level: low```
References
-
Adversaries abuse Windows Admin Shares and the Server Message Block (SMB) protocol to move laterally and stage payloads for execution.
Read More
Related rules
- Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
- Process Execution from Admin Share (RedCanary Threat Detection Report)
- Failed Mounting of Hidden Share
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Remote Service Creation