Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include
IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.
|C0025||2016 Ukraine Electric Power Attack|
|S1063||Brute Ratel C4|
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.
|M1037||Filter Network Traffic||
Consider using the host firewall to restrict file sharing communications such as SMB. 
|M1035||Limit Access to Resource Over Network||
Consider disabling Windows administrative shares.
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
|M1026||Privileged Account Management||
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.
|ID||Data Source||Data Component||Detects|
|DS0028||Logon Session||Logon Session Creation||
Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. 
|DS0033||Network Share||Network Share Access||
Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution.
|Network Traffic Flow||
Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Implementation 1: SMB Write
Implementation 2: SMB Copy and Execution