As described in CAR-2013-01-003, SMB provides a means of remotely managing a file system. Adversaries often use SMB to move laterally to a host. SMB is commonly used to upload files. It may be used for staging in Exfiltration or as a Lateral Movement technique. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to find techniques that actively change remote hosts, instead of passively reading files.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Lateral Tool Transfer||N/A||Lateral Movement||Moderate|
|Remote Services||SMB/Windows Admin Shares||Lateral Movement||Moderate|
|Valid Accounts||Domain Accounts, Local Accounts||Defense Evasion||Moderate|
Data Model References
flow = search Flow:Message smb_write = filter flow where (dest_port == "445" and protocol == "smb.write") smb_write.file_name = smb_write.proto_info.file_name output smb_write