← Back to Explore
crowdstrike_cqlTTP
SMB File Copy to Multiple Devices (Microsoft Defender for Identity)
Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control. Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control.
Detection Query
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
| Vendor.properties.ActionType = "SMB file copy"
| groupBy([user.name, source.address], function=[count(as=file_copies),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),collect(fields=[Vendor.properties.DeviceName,Vendor.properties.AdditionalFields.FileName]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_destinations >= 1
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 30
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_destinations], order=desc)
Author
Kundan Kumar
Data Sources
Identity
Tags
Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: SMB File Copy to Multiple Devices (Microsoft Defender for Identity)
# MITRE ATT&CK technique IDs
mitre_ids:
- T1021.002
# Description of what the query does and its purpose.
description: |
Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control.
# The author or team that created the query.
author: Kundan Kumar
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Identity
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Identity
# Tags for filtering and categorization.
tags:
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityDirectoryEvents"
| Vendor.properties.ActionType = "SMB file copy"
| groupBy([user.name, source.address], function=[count(as=file_copies),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),collect(fields=[Vendor.properties.DeviceName,Vendor.properties.AdditionalFields.FileName]),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| unique_destinations >= 1
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 30
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([unique_destinations], order=desc)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Detects instances where files are copied over SMB to multiple devices within a short timeframe, as identified by Microsoft Defender for Identity. This behavior may indicate lateral movement where an attacker distributes tools or payloads across systems to expand access and establish control.