Correlate suspicious file transfers over SMB or Admin$ shares with process creation events (e.g., cmd.exe, powershell.exe, certutil.exe) that do not align with normal administrative behavior. Detect remote file writes followed by execution of transferred binaries.
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5140 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Time period between file transfer and execution used to correlate events |
| UserContext | Accounts allowed to perform legitimate administrative transfers |
| FilePathWhitelist | Exclude known legitimate software update directories |
Monitor scp, rsync, curl, sftp, or ftp processes initiating transfers to internal systems combined with file creation events in unusual directories. Correlate transfer activity with subsequent execution of those binaries.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | execve: Invocation of scp, rsync, curl, or sftp |
| File Creation (DC0039) | auditd:FILE | create: New file created in system binaries or temp directories |
| Field | Description |
|---|---|
| AllowedTools | Define legitimate transfer utilities expected in the environment |
| DestinationDirectories | Restrict to suspicious or non-standard directories for transferred files |
Detect anomalous use of scp, rsync, curl, or third-party sync apps transferring executables into user directories. Correlate new file creation with immediate execution events.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of scp, rsync, curl with remote destination |
| File Creation (DC0039) | macos:unifiedlog | File created in ~/Library/LaunchAgents or executable directories |
| Field | Description |
|---|---|
| SyncApplications | Whitelisted apps like Dropbox or OneDrive if sanctioned |
| EntropyThreshold | Adjust threshold for unusual filenames/hashes transferred internally |
Identify lateral transfer via datastore file uploads or internal scp/ssh sessions that result in new VMX/VMDK or script files. Correlate transfer with VM execution or datastore modification.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | esxi:vmkernel | Upload of file to datastore |
| Command Execution (DC0064) | esxi:hostd | scp/ssh used to move file across hosts |
| Field | Description |
|---|---|
| DatastoreWhitelist | Known authorized paths for legitimate VM operations |
| TransferProtocol | Protocols allowed for intra-VM host transfers |