T1021.002 SMB/Windows Admin Shares Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect suspicious SMB admin share access and lateral tool transfer
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
| where ActionType in ("ConnectionSuccess", "ConnectionFound")
// Exclude known legitimate management traffic
| where not (InitiatingProcessFileName in~ ("svchost.exe", "System") and RemotePort == 445)
| extend IsAdminShare = InitiatingProcessCommandLine has_any ("ADMIN$", "C$", "IPC$", "\\\\")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl, ActionType
| union (
    // Detect PsExec-style service creation over SMB
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe")
    | extend Source = "PsExec"
    | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine,
             AccountName, Source
)
| union (
    // Detect net use commands establishing share connections
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName =~ "net.exe" or FileName =~ "net1.exe"
    | where ProcessCommandLine has "use" and ProcessCommandLine has_any ("ADMIN$", "C$", "IPC$", "\\\\")
    | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

SCCM/Intune agents distributing software packages via ADMIN$ shares to managed endpoints
Backup agents (Veeam, NetBackup, Commvault) accessing C$ for backup operations
IT administrators manually copying files to ADMIN$ for troubleshooting or patching
Legitimate PsExec use by sysadmins for remote command execution on managed hosts
Windows file sharing between workstations in peer-to-peer environments or home networks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=5140 OR EventCode=5145)
| eval ShareName=coalesce('Share_Name', ObjectName)
| eval SourceIP=coalesce('Source_Address', IpAddress)
| eval AccessAccount=coalesce('Account_Name', SubjectAccountName)
| where ShareName IN ("\\\\*\\ADMIN$", "\\\\*\\C$", "\\\\*\\IPC$") OR match(ShareName, "\\\\\\\\.*\\\\(ADMIN|C|IPC)\\$")
| eval AlertType="AdminShareAccess"
| table _time, host, ShareName, SourceIP, AccessAccount, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\psexec.exe" OR Image="*\\psexec64.exe" OR Image="*\\paexec.exe" OR Image="*\\remcom.exe")
| eval AlertType="PsExecExecution"
| table _time, host, Image, CommandLine, User, AlertType
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\net.exe" OR Image="*\\net1.exe")
  CommandLine="*use*"
  (CommandLine="*ADMIN$*" OR CommandLine="*C$*" OR CommandLine="*IPC$*")
| eval AlertType="NetUseAdminShare"
| table _time, host, Image, CommandLine, User, AlertType
)
| sort - _time

high severity high confidence

Data Sources

Network Traffic: Network Share Access Process: Process Creation Windows Security Event ID 5140 (Network Share Object Access) Windows Security Event ID 5145 (Network Share Object Detailed) Sysmon Event ID 1 (Process Create)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

SCCM/Intune agents distributing software packages via ADMIN$ shares
Backup agents accessing C$ for backup operations
IT administrators manually copying files to ADMIN$ for patching
Legitimate PsExec use by sysadmins for remote command execution
Windows file sharing between workstations

Elastic Security (EQL)

eql

any where
  (
    event.category == "network" and
    event.type == "connection" and
    destination.port == 445 and
    process.name != null and
    process.name not in~ ("svchost.exe", "System") and
    process.command_line like~ ("*ADMIN$*", "*IPC$*", "*C$*")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("psexec.exe", "psexec64.exe", "paexec.exe", "remcom.exe")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name in~ ("net.exe", "net1.exe") and
    process.command_line like~ "*use*" and
    process.command_line like~ ("*ADMIN$*", "*C$*", "*IPC$*")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Windows module Filebeat with Windows Event Log input Elastic Agent with Windows integration

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* logs-windows.* .ds-logs-system.security-*

False Positives

SCCM/ConfigMgr, PDQ Deploy, Ansible WinRM, and similar endpoint management platforms routinely connect to port 445 and reference admin shares for software deployment; baseline expected management hosts and service accounts
Enterprise backup solutions (Veeam, Acronis, Backup Exec, Windows Server Backup) mount remote C$ or ADMIN$ for agent-less file-level backups; exclude known backup server source IPs and service accounts
Domain controllers performing SYSVOL and NETLOGON share replication, and IT administrators manually mapping administrative shares for remote troubleshooting, generate process.command_line values that match admin share patterns

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  "EventID" AS event_id,
  "ShareName" AS share_name,
  "CommandLine" AS command_line,
  "Image" AS process_image
FROM events
WHERE LAST 24 HOURS
  AND (
    (
      "EventID" IN ('5140', '5145')
      AND (
        "ShareName" ILIKE '%ADMIN$%'
        OR "ShareName" ILIKE '%C$%'
        OR "ShareName" ILIKE '%IPC$%'
      )
    )
    OR (
      "EventID" = '1'
      AND (
        "Image" ILIKE '%psexec.exe'
        OR "Image" ILIKE '%psexec64.exe'
        OR "Image" ILIKE '%paexec.exe'
        OR "Image" ILIKE '%remcom.exe'
      )
    )
    OR (
      "EventID" = '1'
      AND ("Image" ILIKE '%net.exe' OR "Image" ILIKE '%net1.exe')
      AND "CommandLine" ILIKE '%use%'
      AND (
        "CommandLine" ILIKE '%ADMIN$%'
        OR "CommandLine" ILIKE '%C$%'
        OR "CommandLine" ILIKE '%IPC$%'
      )
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

QRadar DSM for Microsoft Windows Security Event Log (WinCollect agent or WEF) QRadar DSM for Sysmon via WinCollect or Windows Event Forwarding IBM QRadar WinCollect agent on monitored Windows endpoints

Required Tables

events

False Positives

Enterprise endpoint management platforms (SCCM, Tanium, Ivanti Endpoint Manager) deploy software packages over SMB admin shares, generating high-volume 5140/5145 events during patch windows; whitelist known management server source IPs
Network backup agents (Veeam, Commvault, Cohesity) connecting to remote C$ or ADMIN$ for agent-less backup operations produce continuous share access events that match EventID 5140/5145 patterns
PsExec is a legitimate SysInternals utility used by IT help desk and sysadmin teams for remote command execution; correlate with expected source usernames and originating workstations to distinguish authorized use from adversarial lateral movement

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*WinEvent* OR _sourceCategory=*Sysmon*)
| parse regex "EventID[^>]*>(?<event_id>\d+)" nodrop
| parse regex "ShareName[^>]*>(?<share_name>[^<]+)" nodrop
| parse regex "<Image[^>]*>(?<process_image>[^<]+)" nodrop
| parse regex "CommandLine[^>]*>(?<command_line>[^<]+)" nodrop
| parse regex "IpAddress[^>]*>(?<source_ip>[^<]+)" nodrop
| parse regex "SubjectUserName[^>]*>(?<subject_user>[^<]+)" nodrop
| where (
    (event_id in ("5140", "5145")
      AND (share_name matches "*ADMIN$*" OR share_name matches "*C$*" OR share_name matches "*IPC$*"))
    OR (event_id = "1"
        AND (process_image matches "*psexec.exe" OR process_image matches "*psexec64.exe"
             OR process_image matches "*paexec.exe" OR process_image matches "*remcom.exe"))
    OR (event_id = "1"
        AND (process_image matches "*net.exe" OR process_image matches "*net1.exe")
        AND toLowerCase(command_line) matches "*use*"
        AND (command_line matches "*ADMIN$*" OR command_line matches "*C$*" OR command_line matches "*IPC$*"))
  )
| fields _messageTime, _sourceHost, event_id, share_name, source_ip, process_image, command_line, subject_user
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Event Log source via Sumo Logic installed collector (Windows Security and System logs) Sysmon operational log (Microsoft-Windows-Sysmon/Operational) via Sumo Logic collector Windows Event Forwarding (WEF) subscription forwarding to Sumo Logic HTTP Source

Required Tables

_sourceCategory=*Windows* _sourceCategory=*Sysmon* _sourceCategory=*WinEvent*

False Positives

Windows EventID 5140 is generated for every network share access including routine NETLOGON and SYSVOL access from all domain-joined systems; ensure the where clause strictly filters to ADMIN$, C$, and IPC$ share names to minimize false positive volume
Systems running scheduled backup jobs (Veeam, Backup Exec) that connect to remote administrative shares generate persistent 5140/5145 events; create exclusion filters for known backup service account usernames and source host names
IT automation and configuration management tooling (Ansible, Puppet, Chef using WinRM + SMB) that leverages administrative shares for file transfer will match the net use and PsExec detections during deployment runs; correlate with change management records

Google Chronicle / SecOps

yaral

rule smb_admin_share_lateral_movement {
  meta:
    author = "Detection Engineering"
    description = "Detects SMB admin share access and lateral tool transfer - T1021.002"
    severity = "HIGH"
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1021.002"
    reference = "https://attack.mitre.org/techniques/T1021/002/"
    false_positives = "IT management tools, backup agents, domain replication"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.file.full_path, `(?i)(psexec64?|paexec|remcom)\.exe$`) or
        (
          re.regex($e.target.process.file.full_path, `(?i)net1?\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)\buse\b`) and
          re.regex($e.target.process.command_line, `(?i)(ADMIN\$|IPC\$|C\$)`)
        )
      )
    ) or
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" and
      $e.network.destination_port = 445 and
      not re.regex($e.principal.process.file.full_path, `(?i)(svchost|lsass|smss)\.exe$`) and
      re.regex($e.principal.process.command_line, `(?i)(ADMIN\$|IPC\$|C\$)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle Windows sensor or Google SecOps Windows log ingestion Bindplane agent forwarding Windows Security and Sysmon events to Chronicle Chronicle SOAR connectors for endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne)

Required Tables

UDM events with event_type PROCESS_LAUNCH UDM events with event_type NETWORK_CONNECTION

False Positives

Legitimate administrative tools including SysInternals PsExec used by SOC/IT teams, SCCM remote execution clients, and RMM tools (ConnectWise, Kaseya) that leverage PsExec-style execution should be baselined and added to a reference list for suppression
Endpoint security and monitoring solutions (CrowdStrike RTR, Carbon Black Live Response, SentinelOne Remote Shell) that use SMB internally for agent communication may trigger NETWORK_CONNECTION rules; exclude known security tooling process paths
Group Policy Object (GPO) processing, domain join operations, and SYSVOL synchronization from legitimate domain infrastructure generate SMB port 445 connections that may match if command_line telemetry is populated; whitelist domain controller IP ranges

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["ProcessRollup2", "NetworkConnectIP4"]
| case {
    FileName = /(?i)^(psexec64?|paexec|remcom)\.exe$/ |
      alert_type := "PsExecExecution" ;
    FileName = /(?i)^net1?\.exe$/ |
    CommandLine = /(?i)\buse\b/ |
    CommandLine = /(?i)(ADMIN\$|IPC\$|C\$)/ |
      alert_type := "NetUseAdminShare" ;
    #event_simpleName = "NetworkConnectIP4" |
    RemotePort = "445" |
    FileName != "svchost.exe" |
    FileName != "System" |
      alert_type := "SMB445Connection" ;
    * | drop()
  }
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, RemoteAddressIP4, RemotePort, alert_type], limit=1000, sortby=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR sensor telemetry) CrowdStrike Falcon Insight XDR Falcon LogScale (Humio) with Falcon data connector via HEC or Falcon Data Replicator

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

CrowdStrike Falcon's own Real Time Response (RTR) capability uses SMB for file transfer operations during live response sessions; NetworkConnectIP4 events on port 445 originating from the Falcon sensor process (CSFalconService.exe) should be explicitly excluded
PsExec is widely used by IT administrators for authorized remote management; in environments where psexec is sanctioned, enrich detections with user context and restrict alerting to non-privileged accounts or unusual source systems not in the IT asset list
Backup and monitoring agents (SolarWinds, PRTG, Zabbix, Veeam) that poll remote hosts via SMB or use administrative shares for data collection will generate NetworkConnectIP4 events on port 445 at regular intervals; whitelist known monitoring infrastructure by source hostname or IP

SMB/Windows Admin Shares

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections