detection.wiki

ATT&CK coverage › Technique

Remote Services: SMB/Windows Admin Shares T1021.002

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Events covered

17 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon7Image loaded
Sysmon11FileCreate
Sysmon13RegistryEvent (Value Set)
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4672Special privileges assigned to new logon.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Security-Auditing4776The domain controller attempted to validate the credentials for an account.
Security-Auditing5140A network share object was accessed.
Security-Auditing5145A network share object was checked to see whether client can be granted desired access.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).
SMBServer4000The SMB client connection to the share was established.
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 42 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (36 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image12ends_with 9, match 2, eq 2\net.exe, \net1.exe, System, \pwsh.exe, \robocopy.exe
RelativeTargetName10eq 5, ends_with 3, match 1, starts_with 1, in 1winreg, spoolss, \Internet Explorer\iertutil.dll, MsFteWds, srvsvc
ShareName10eq 6, match 2, ends_with 1, in 1\\\\\*\\IPC$, C$, Admin$, IPC, ADMIN$
CommandLine8match 7, ends_with 1, eq 1 use , rundll32, \\\\, copy , cpi
OriginalFileName7eq 7net.exe, net1.exe, PowerShell.EXE, powershell_ise.exe, XCOPY.EXE
EventID6eq 5, in 117, 18, 5145, 4672
user5ends_with 5$
tool4is_not_null 4
TargetFilename3ends_with 2, match 1\Temp\_MEI, \nxc\data\, \Internet Explorer\iertutil.dll, \wbem\wbemcomn.dll
source.ip2ne 2127.0.0.1, ::1, ::
EventType2eq 2logged-in, service-installed, logged-in-special
LogonType2eq 2Network, 3
ServiceFileName2match 1, regex_match 1.exe, %COMSPEC%, powershell -nop -w hidden -encodedcommand, ^%systemroot%\\[a-zA-Z]{8}\.exe$
ImagePath2match 2.exe, %COMSPEC%, powershell -nop -w hidden -encodedcommand, __output 2^>^&1 >, .bat & del
Provider_Name2eq 2Service Control Manager

Top indicator values (180 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
userends_with$518
ShareNameeq\\\\\*\\IPC$56
CommandLinematch use 46
OriginalFileNameeqnet1.exe416
Imageends_with\net.exe427
OriginalFileNameeqnet.exe416
Imageends_with\net1.exe425
EventIDeq1733
EventIDeq1833
source.ipne::127
source.ipne127.0.0.128
RelativeTargetNameeqwinreg2
Provider_NameeqService Control Manager243
RelativeTargetNameeqspoolss22
RelativeTargetNameeqsvcctl22
RelativeTargetNameeqprotected_storage22
ImageeqSystem28
CommandLinematch \\\\28
source.ipne::1
EventTypeeqlogged-in17

Common exclusions (48 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
process_namein"*:\\Windows\\System32\\svchost.exe"4
process_namein"*\\AppData\\Local\\Microsoft*"4
process_namein"*:\\Program Files\\Microsoft*"4
process_namein"*:\\Program Files \(x86\)\\Microsoft*"4
process_namein"*:\\Program Files \(x86\)\\Adobe*"4
process_namein"*:\\Windows\\system32\\SearchIndexer.exe"4
process_namein"*:\\Windows\\SystemApps\\Microsoft*"4
process_namein"*:\\Program Files \(x86\)\\Google*"4
process_namein"*:\\Program Files\\Adobe*"4
process_namein"*\\AppData\\Local\\Google*"4
process_namein"*\\AppData\\Local\\Kingsoft\\*"4
process_namein"*\\Amazon\\SSM\\Instance*"4
process_namein"*:\\Program Files\\Google*"4
process_namein"System"4
ServiceFileNamewildcard?:\Windows\System32\wbem\WmiApSrv.exe1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 33 rules

Elastic 3 rules

Splunk 6 rules