Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.

This analytic monitors SMB activity that deals with user activity rather than file activity.

ATT&CK Detection

Technique Subtechnique(s) Tactic(s) Level of Coverage
Forced Authentication N/A Credential Access Low

Data Model References

Object Action Field
flow message dest_port
flow message proto_info
flow message protocol



flow = search Flow:Message
smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)
smb_setup.user = smb_write.proto_info.user_name
smb_setup.target_host = smb_write.proto_info.hostname
output smb_write