Potential SMB DLL Lateral Movement

Jan 8, 2023 · attack.lateral_movement attack.t1570 ·

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Sigma rule (View on GitHub)

 1title: Potential SMB DLL Lateral Movement
 2id: 8fe1524e-8c97-404c-9dee-090929a315c4 
 3status: experimental
 4description: Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.
 5author: TheDFIRReport
 6date: 2022/09/12
 7modified: 2023/01/08
 8references:
 9  - https://thedfirreport.com/
10logsource:
11  product: zeek
12  service: smb_files
13detection:
14  selection_1:
15    file_name|contains:
16      - 'programdata'
17  selection_2:
18    file_name|endswith:
19      - '\.dll'
20  condition: selection_1 and selection_2
21falsepositives:
22  - RMM Tools and Administrative activities in ProgramData Folder.
23level: medium
24tags:
25  - attack.lateral_movement
26  - attack.t1570

References

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

Read More

Potential SMB DLL Lateral Movement

Sigma rule (View on GitHub)

References

The DFIR Report

Related rules