Detect SMB File Copies
SMB File Copy
Query
let WhitelistedAccounts = dynamic(['account1', 'account2']);
IdentityDirectoryEvents
| where ActionType == 'SMB file copy'
| where not(AccountName has_any (WhitelistedAccounts))
| extend
SMBFileCopyCount = parse_json(AdditionalFields).Count,
FilePath = parse_json(AdditionalFields).FilePath,
FileName = parse_json(AdditionalFields).FileName
| project-rename SourceDeviceName = DeviceName
| project-reorder
Timestamp,
ActionType,
SourceDeviceName,
DestinationDeviceName,
FilePath,
FileName,
SMBFileCopyCountAbout this query
Explanation
This query is designed to detect suspicious file copying activities over the SMB protocol, which is often used for file sharing on Windows networks. The query specifically looks for instances where files are copied using SMB, but excludes activities performed by accounts that are considered safe or "whitelisted."
Here's a simple breakdown of the query:
-
Whitelisted Accounts: The query starts by defining a list of accounts that are considered safe and should be ignored in the detection process. These are specified in a dynamic list called
WhitelistedAccounts. -
Data Source: The query searches through
IdentityDirectoryEvents, which logs various identity-related activities, including file operations. -
Filter Criteria: It filters events where the action type is 'SMB file copy', indicating a file was copied using the SMB protocol. It further filters out any events involving accounts that are in the whitelist.
-
Data Extraction: For each relevant event, the query extracts additional details such as the number of files copied (
SMBFileCopyCount), the file path, and the file name from theAdditionalFieldscolumn. -
Renaming and Reordering: The query renames the
DeviceNamefield toSourceDeviceNamefor clarity and reorders the columns to present the data in a more organized manner, showing the timestamp, action type, source and destination device names, file path, file name, and the count of files copied. -
Purpose: The main goal is to identify potentially malicious file copying activities that could indicate an adversary is distributing malware within the network. Legitimate file copies by administrators or other trusted users should be added to the whitelist to avoid false positives.
By running this query, security teams can monitor and investigate unauthorized or suspicious file copying activities over SMB, helping to protect the network from potential threats.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators