KQL Search

Query Details

HomeAI ToolsDevice Query

SMB File Copy

Query

# Detect SMB File Copies

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.002 | Remote Services: SMB/Windows Admin Shares|https://attack.mitre.org/techniques/T1021/002|

#### Description
Adversaries can use SMB to upload files to remote shares or to interact with files on those shares. A common technique is to upload malcious to remote host. This query detects all SMB file copies. In order to run the query effectively add the benign accounts the the whitelist.

A false positive would be a aministrator that would perform legitimate SMB file copies. 

#### Risk
A actor uses a SMB file copy to distrubute malware in your environment. 

## Defender For Endpoint

```
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     Timestamp,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount
```
## Sentinel 
```
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     TimeGenerated,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount
```

Explanation

The query detects SMB file copies, which can be used by adversaries to upload files to remote shares or interact with files on those shares. The query filters out any SMB file copies performed by whitelisted accounts. The results include information such as the timestamp, source device name, destination device name, file path, file name, and the count of SMB file copies. The purpose of the query is to identify any malicious use of SMB file copies in order to prevent the distribution of malware in the environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 14, 2023

Tables

IdentityDirectoryEvents

Keywords

Devices,Intune,User,SMB,WindowsAdminShares,MITREATT&CK,Adversaries,Malware,Whitelist,Actor,DefenderForEndpoint,Sentinel

Operators

wherenotextendparse_jsonproject-renameproject-reorder

Actions