Account usage within SMB can be used to identify compromised credentials, and the hosts accessed with them.

This analytic monitors SMB activity that deals with user activity rather than file activity.

ATT&CK Detection

Technique Tactic Level of Coverage
Forced Authentication Credential Access Low

Data Model References

Object Action Field
flow message dest_port
flow message proto_info
flow message protocol

Implementations

Pseudocode

flow = search Flow:Message
smb_setup = filter flow where (dest_port == 445 and protocol == smb.setup)
smb_setup.user = smb_write.proto_info.user_name
smb_setup.target_host = smb_write.proto_info.hostname
output smb_write