Potential SMB DLL Lateral Movement

Mar 18, 2025 · attack.lateral-movement attack.t1570 ·

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Sigma rule (View on GitHub)

 1title: Potential SMB DLL Lateral Movement
 2id: 8fe1524e-8c97-404c-9dee-090929a315c4
 3status: experimental
 4description: Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.
 5author: TheDFIRReport
 6date: 2022-09-12
 7modified: 2023-01-08
 8references:
 9    - https://thedfirreport.com/
10logsource:
11    product: zeek
12    service: smb_files
13detection:
14    selection:
15        file_name|contains: 'programdata'
16        file_name|endswith: '\.dll'
17    condition: selection
18falsepositives:
19    - RMM Tools and Administrative activities in ProgramData Folder.
20level: medium
21tags:
22    - attack.lateral-movement
23    - attack.t1570

References

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion

Read More

Potential SMB DLL Lateral Movement

Sigma rule (View on GitHub)

References

The DFIR Report

Related rules