Query Details

Detect SMB File Copies

SMB File Copy

Query

let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend 
     SMBFileCopyCount = parse_json(AdditionalFields).Count,
     FilePath = parse_json(AdditionalFields).FilePath,
     FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
     Timestamp,
     ActionType,
     SourceDeviceName,
     DestinationDeviceName,
     FilePath,
     FileName,
     SMBFileCopyCount

About this query

Explanation

This query is designed to detect suspicious file copying activities over the SMB protocol, which is often used for file sharing on Windows networks. The query specifically looks for instances where files are copied using SMB, but excludes activities performed by accounts that are considered safe or "whitelisted."

Here's a simple breakdown of the query:

  1. Whitelisted Accounts: The query starts by defining a list of accounts that are considered safe and should be ignored in the detection process. These are specified in a dynamic list called WhitelistedAccounts.

  2. Data Source: The query searches through IdentityDirectoryEvents, which logs various identity-related activities, including file operations.

  3. Filter Criteria: It filters events where the action type is 'SMB file copy', indicating a file was copied using the SMB protocol. It further filters out any events involving accounts that are in the whitelist.

  4. Data Extraction: For each relevant event, the query extracts additional details such as the number of files copied (SMBFileCopyCount), the file path, and the file name from the AdditionalFields column.

  5. Renaming and Reordering: The query renames the DeviceName field to SourceDeviceName for clarity and reorders the columns to present the data in a more organized manner, showing the timestamp, action type, source and destination device names, file path, file name, and the count of files copied.

  6. Purpose: The main goal is to identify potentially malicious file copying activities that could indicate an adversary is distributing malware within the network. Legitimate file copies by administrators or other trusted users should be added to the whitelist to avoid false positives.

By running this query, security teams can monitor and investigate unauthorized or suspicious file copying activities over SMB, helping to protect the network from potential threats.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

IdentityDirectoryEvents

Keywords

IdentityDirectoryEventsActionTypeAccountNameAdditionalFieldsDeviceTimestampTimeGeneratedSourceDestinationFilePathSMBCopyCount

Operators

letdynamicwherenothas_anyextendparse_jsonproject-renameproject-reorder

MITRE Techniques

Actions

GitHub