As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Lateral Tool Transfer N/A Lateral Movement Moderate
Remote Services SMB/Windows Admin Shares Lateral Movement Moderate
Valid Accounts Domain Accounts, Local Accounts Defense Evasion Moderate

Data Model References

Object Action Field
flow message proto_info
flow message dest_port



flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write")
smb_write.file_name = smb_write.proto_info.file_name
output smb_write