An SMB write can be an indicator of lateral movement, especially when combined with other information such as execution of that written file. Named pipes are a subset of SMB write requests. Named pipes such as msftewds may not be alarming; however others, such as lsarpc, may.
Monitoring SMB write requests still creates some noise, particulary with named pipes. As a result, SMB is now split between writing named pipes and writing other files.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Lateral Tool Transfer||N/A||Lateral Movement||Low|
|D3-IPCTA||IPC Traffic Analysis|
Data Model References
Look for SMB network connections over port 445. Using a sensor that can decode protocol information, extract out the name of the pipe and potentially other information. This happens legitimately so certain pipes, such as
spoolss should be appropriately white-listed. Certain pipes do correspond to adversary activity, including:
flow = search Flow:Message smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe") smb_write.pipe_name = smb_write.proto_info.pipe_name output smb_write