Detection rules › Splunk
Network Share Discovery Via Dir Command
The following analytic detects access to Windows administrative SMB shares (Admin$, IPC$, C$) using the 'dir' command. It leverages Windows Security Event Logs with EventCode 5140 to identify this activity. This behavior is significant as it is commonly used by tools like PsExec/PaExec for staging binaries before creating and starting services on remote endpoints, a technique often employed by adversaries for lateral movement and remote code execution. If confirmed malicious, this activity could allow attackers to propagate malware, such as IcedID, across the network, leading to widespread infection and potential data breaches.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1135 Network Share Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5140 | A network share object was accessed. |
Stages and Predicates
Stage 1: search
search AccessMask=0x1 EventCode=5140 ShareName IN ("*\\\\*\\IPC$", "\\\\*\\ADMIN$", "\\\\*\\C$")
Stage 2: stats
stats BY ShareName, IpAddress, ObjectType, SubjectUserName, SubjectDomainName, IpPort, AccessMask, Computer
Stage 3: rename
rename
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AccessMask | eq |
|
EventCode | eq |
|
ShareName | in |
|