An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.

Monitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
Lateral Tool Transfer N/A Lateral Movement Low

D3FEND Techniques

ID Name
D3-IPCTA IPC Traffic Analysis

Data Model References

Object Action Field
flow message proto_info
flow start dest_port

Implementations

Pseudocode

Look for SMB network connections over port 445. Using a sensor that can decode protocol information, extract out the name of the pipe and potentially other information. This happens legitimately so certain pipes, such as spoolss should be appropriately white-listed. Certain pipes do correspond to adversary activity, including:

flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe")
smb_write.pipe_name = smb_write.proto_info.pipe_name
output smb_write