An uncommon executable was remotely written over SMB to an uncommon destination

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: SMB/Windows Admin Shares (T1021.002)

Severity

Low

Description

An uncommon executable was remotely written over SMB to a destination which was not involved in significant similar activity during last month.

Attacker's Goals

Transfer tools as part of lateral movement activity across the network.

Investigative actions

  • Verify if the shared file is malicious.
  • Investigate if the file was executed on the host.
  • Check the remote SMB client for other suspicious activities.

Variations

An uncommon executable was remotely written over SMB to a highly suspicious destination

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: SMB/Windows Admin Shares (T1021.002)

Severity

High

Description

An uncommon executable was remotely written over SMB to a highly suspicious destination which was not involved in significant similar activity during last month.

Attacker's Goals

Transfer tools as part of lateral movement activity across the network.

Investigative actions

  • Verify if the shared file is malicious.
  • Investigate if the file was executed on the host.
  • Check the remote SMB client for other suspicious activities.


An uncommon executable with SCR extension was remotely written over SMB to an uncommon destination

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: SMB/Windows Admin Shares (T1021.002)

Severity

Medium

Description

An uncommon executable with SCR extension was remotely written over SMB to a destination which was not involved in significant similar activity during last month.

Attacker's Goals

Transfer tools as part of lateral movement activity across the network, leveraging lesser known PE extension to masquerade a malicious file.

Investigative actions

  • Verify if the shared file is malicious.
  • Investigate if the file was executed on the host.
  • Check the remote SMB client for other suspicious activities.
  • Verify whether or not the executable file is a genuine screensaver, possibly by detonating it in a controlled environment.


PsExec remote service component was remotely written over SMB to an uncommon destination

Synopsis

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: SMB/Windows Admin Shares (T1021.002)

Severity

Low

Description

PsExec remote service component was remotely written over SMB to a destination which was not involved in significant similar activity during last month.

Attacker's Goals

Transfer tools as part of lateral movement activity across the network.

Investigative actions

  • Verify if the shared file is malicious.
  • Investigate if the file was executed on the host.
  • Check the remote SMB client for other suspicious activities.
  • Verify whether this is part of authorized activity or not as PsExec can be used for both benign and malicious purposes.