Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).
Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts.
Monitor for file creation in conjunction with other techniques (e.g., file transfers using Remote Services).
Monitor for unusual processes with internal network connections creating files on-system which may be suspicious.
Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.
Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.
Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.
| Data Component | Name | Channel |
|---|---|---|
| Network Share Access (DC0102) | Network Share | None |
| File Metadata (DC0059) | File | None |
| File Creation (DC0039) | File | None |
| Network Traffic Content (DC0085) | Network Traffic | None |
| Command Execution (DC0064) | Command | None |
| Process Creation (DC0032) | Process | None |
| Network Traffic Flow (DC0078) | Network Traffic | None |