Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker identifies accessible SMB shares within the compromised environment.
3. The attacker uses the compromised system to connect to a target SMB share (port 445) on another system.
4. The attacker copies an executable file (e.g., malware, a credential dumping tool, or a PowerShell script) to the SMB share.
5. The target system detects a new file creation or change event on the SMB share.
6. A user or process on the target system executes the transferred file.
7. The executed file performs malicious actions on the target system, such as credential theft or lateral movement.
8. The attacker uses the newly compromised system to further expand their access within the network.

Impact

Successful exploitation allows attackers to propagate malware or malicious tools throughout the network, leading to widespread compromise. Lateral movement enables attackers to access sensitive data, escalate privileges, and ultimately achieve their objectives, which may include data exfiltration, ransomware deployment, or system disruption. The rule aims to detect this activity early in the attack chain and mitigate potential damage.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect suspicious executable file creation/modification events on SMB shares.
• Enable Elastic Defend on all Windows endpoints to provide the necessary data for the detection rule to function.
• Investigate any alerts triggered by the Sigma rules, focusing on the process execution chain, file reputation, and user activity.
• Review and restrict write access to network shares to minimize the risk of unauthorized file transfers.
• Monitor network connections to port 445 (SMB) for suspicious activity, especially connections originating from unusual source IPs (Sigma rule, log source).