An adversary needs to gain access to other hosts to move throughout an environment. In many cases, this is a twofold process. First, a file is remotely written to a host via an SMB share (detected by CAR-2013-05-003). Then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.

ATT&CK Detection

Technique Tactic Level of Coverage
Windows Admin Shares Lateral Movement Moderate
Valid Accounts Defense Evasion, Lateral Movement Moderate
Remote File Copy Lateral Movement Moderate

Pseudocode

process = search Process:Create
smb_write = run Analytic:CAR-2013-05-003
remote_start = join (smb_write, process) where (
 smb_write.hostname == process.hostname and
 smb_write.file_path == process.image_path
 (smb_write.time < process.time)
)
output remote_start

Additional Notes:

This can possibly extend to more copy protocols in order to widen its reach, or it could be tuned more finely to focus on specific program run locations (e.g. %SYSTEMROOT%\system32) to gain a higher detection rate.

Data Model References

Object Action Field
process create image_path
process create proto_info
process create hostname