An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 (LogonType=3) |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ShareName | Targeted admin share path, such as C$, ADMIN$, IPC$ |
| TimeWindow | Correlation window between remote file access and remote execution (e.g., 5-10 minutes) |
| UserContext | Distinguish expected remote administrators vs. rare/first-time access by specific users |
| ProcessList | List of suspicious binaries or tools executed post remote copy (e.g., cmd.exe, powershell.exe, runonce.exe) |