Detects adversary tampering of shared directories via file drops (e.g., malicious LNK, EXE, VBS) followed by user execution or suspicious network activity.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| Field | Description |
|---|---|
| SharedPathPrefix | Defines monitored shared directories (e.g., \\server\HR\). |
| ExecutableExtensions | Monitored file types dropped in shared paths (e.g., .lnk, .exe, .vbs). |
Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write |
| Network Share Access (DC0102) | NSM:Flow | smb_files.log |
| Field | Description |
|---|---|
| MountPath | Mount path of monitored shared volumes (e.g., /mnt/shared). |
| FilenamePattern | Pattern matching of abnormal or disguised filenames. |
Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | fs:fsevents | Directory events (kFSEventStreamEventFlagItemCreated) |
| File Modification (DC0061) | macos:unifiedlog | file writes |
| Field | Description |
|---|---|
| FileExtensionDeception | Monitors use of hidden extensions or double extensions. |
| TargetSharedFolder | Defines sensitive shared folders (e.g., /Users/Shared/HR). |
Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | gcp:workspaceaudit | drive.activity logs |
| Network Share Access (DC0102) | m365:unified | FileUploaded, FileAccessed |
| Field | Description |
|---|---|
| UserUploadRateThreshold | Abnormal upload patterns into shared drives. |
| MaliciousFileIndicator | File hash or known-bad filename pattern matching. |
Detects embedded macros or scripts added to shared documents or use of external references to execute code.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | m365:defender | OfficeTelemetry or DLP |
| Field | Description |
|---|---|
| MacroExecutionPolicy | Controls macro execution based on user or group policy. |
| SuspiciousKeywordMatch | Regex match on suspicious VBA function names or calls. |