CAR-2013-05-003: SMB Write Request
As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Lateral Tool Transfer | N/A | Lateral Movement | Moderate |
| Remote Services | SMB/Windows Admin Shares | Lateral Movement | Moderate |
| Valid Accounts | Domain Accounts, Local Accounts | Defense Evasion | Moderate |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-IPCTA | IPC Traffic Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| flow | message | proto_info |
| flow | message | dest_port |
Implementations
Pseudocode
flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
smb_write.file_name = smb_write.proto_info.file_name
output smb_write