SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Sigma rule (View on GitHub)
1title: SMB Create Remote File Admin Share
2id: b210394c-ba12-4f89-9117-44a2464b9511
3status: test
4description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
5references:
6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
7 - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
8author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
9date: 2020-08-06
10modified: 2025-10-17
11tags:
12 - attack.lateral-movement
13 - attack.t1021.002
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 5145
20 ShareName|endswith: 'C$'
21 AccessMask: '0x2'
22 filter_main_subjectusername:
23 SubjectUserName|endswith: '$'
24 filter_optional_local_ip:
25 IpAddress: '::1'
26 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
27falsepositives:
28 - Unknown
29level: high
References
-
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More -
Dataset Description# This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).
Read More
Related rules
- Rundll32 UNC Path Execution
- HackTool - SharpMove Tool Execution
- Access To ADMIN$ Network Share
- DCERPC SMB Spoolss Named Pipe
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security