Detectionhightest
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Jose Rodriguez, OTR (Open Threat Research)Created Thu Aug 06Updated Fri Oct 17b210394c-ba12-4f89-9117-44a2464b9511windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 5145
ShareName|endswith: 'C$'
AccessMask: '0x2'
filter_main_subjectusername:
SubjectUserName|endswith: '$'
filter_optional_local_ip:
IpAddress: '::1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
b210394c-ba12-4f89-9117-44a2464b9511
Status
test
Level
high
Type
Detection
Created
Thu Aug 06
Modified
Fri Oct 17
Path
rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml
Raw Tags
attack.lateral-movementattack.t1021.002