CAR-2013-09-003: SMB Session Setups
Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.
This analytic monitors SMB activity that deals with user activity rather than file activity.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Forced Authentication | N/A | Credential Access | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-IPCTA | IPC Traffic Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| flow | message | dest_port |
| flow | message | proto_info |
| flow | message | protocol |
Implementations
Pseudocode
flow = search Flow:Message
smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)
smb_setup.user = smb_write.proto_info.user_name
smb_setup.target_host = smb_write.proto_info.hostname
output smb_write