Skip to content

DET0530 Multi-Event Detection for SMB Admin Share Lateral Movement

Item Value
ID DET0530
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1021.002 (SMB/Windows Admin Shares)

Analytics

Windows

AN1468

An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) WinEventLog:Security EventCode=4624, 4648
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
ShareName Targeted admin share path, such as C$, ADMIN$, IPC$
TimeWindow Correlation window between remote file access and remote execution (e.g., 5-10 minutes)
UserContext Distinguish expected remote administrators vs. rare/first-time access by specific users
ProcessList List of suspicious binaries or tools executed post remote copy (e.g., cmd.exe, powershell.exe, runonce.exe)