Detect SMB File Copies

November 6, 2023 Wayne Andes 5 min read

Description

Adversaries can use SMB to upload files to remote shares or to interact with files on those shares. A common technique is to upload malicious to remote host. This KQL query detects all SMB file copies. In order to run the query effectively add the benign accounts to the whitelist.

A false positive would be an administrator that would perform legitimate SMB file copies.

Risk

A actor uses a SMB file copy to distribute malware in your environment.

Query

Microsoft Defender For Endpoint

Kusto

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     Timestamp,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

Microsoft Sentinel

Kusto

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     TimeGenerated,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

Build+Break+Secure

Build+Break+Secure

Detect SMB File Copies

Description

Risk

Query

Microsoft Defender For Endpoint

Microsoft Sentinel

Leave a Reply Cancel reply

Description

Risk

Query

Microsoft Defender For Endpoint

Microsoft Sentinel

You May Also Like

List Website Connections Allowed by Symantec Endpoint Protection

List Recently Found Devices That Can Be On-boarded

Visualize Devices That Initiate The Most Cleartext LDAP Authentications

Leave a Reply Cancel reply