SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Sigma rule (View on GitHub)
1title: SMB Create Remote File Admin Share
2id: b210394c-ba12-4f89-9117-44a2464b9511
3status: test
4description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
5references:
6 - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
7 - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
8author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
9date: 2020/08/06
10modified: 2021/11/27
11tags:
12 - attack.lateral_movement
13 - attack.t1021.002
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 5145
20 ShareName|endswith: 'C$'
21 AccessMask: '0x2'
22 filter:
23 SubjectUserName|endswith: '$'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high
References
-
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. - OTRF/ThreatHunter-Playbook
Read More -
Dataset Description# This dataset represents a threat actor remotely copying a file over SMB (CreateRequest).
Read More
Related rules
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
- File Writes Within Admin Shares (RedCanary Threat Detection Report)
- Process Execution from Admin Share (RedCanary Threat Detection Report)
- Failed Mounting of Hidden Share