Monitoring of file access to network shares (e.g., C$, Admin$) followed by unusual read or copy operations by processes not typically associated with such activity (e.g., PowerShell, certutil).
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| ShareName | Organizations may use custom share paths outside of default C$, Admin$, etc. |
| ProcessName | Common toolsets vary; defenders should tailor to unusual processes for their environment. |
| TimeWindow | Time of day and access duration may need to be tuned to reduce false positives. |
Unusual access or copying of files from mounted network drives (e.g., NFS, CIFS/SMB) by user shells or scripts followed by large data transfer.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | auditd:SYSCALL | open,read |
| Drive Access (DC0054) | linux:syslog | mount/umount or file copy logs |
| Field | Description |
|---|---|
| MountPoint | Organization-specific share mount paths may vary (/mnt/share1, /srv/data etc.) |
| UID | May need to scope to service accounts or user ID patterns specific to enterprise policy. |
Detection of file access from mounted SMB shares followed by copy or exfil commands from Terminal or script interpreter processes.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | macos:unifiedlog | filesystem and process events |
| Drive Access (DC0054) | fs:fsusage | open/read/mount operations |
| Field | Description |
|---|---|
| ProcessPath | Script interpreters may vary (e.g., zsh, bash, python, osascript). |
| SharePath | Network drive mount points may differ across enterprises. |