
Summary
This detection rule focuses on identifying suspicious behavior related to SMB (Server Message Block) access to administrative shares, specifically when non-system accounts attempt to create or modify files on these shares with write access. The detection is based on Event ID 5145, which logs file share access attempts on Windows systems. The rule targets events where the ShareName ends with 'C$', which refers to the default administrative share for the C: drive, and flags any write access attempts (denoted by the access mask 0x2). Importantly, the rule also filters to exclude any attempts made by system accounts (identified by checking if the SubjectUserName ends with '$') to minimize false positives. By monitoring for these events, organizations can detect lateral movement or unauthorized file access by potentially compromised non-system accounts, thereby enhancing their security posture against insider threats and lateral movement tactics employed by adversaries.
Categories
- Windows
- Endpoint
Data Sources
- Logon Session
- Network Traffic
- Process
Created: 2020-08-06