New

The executive guide to generative AI

Read more

Attempt to Mount SMB Share via Command Line

edit

Attempt to Mount SMB Share via Command Line

edit

Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Lateral Movement

Version: 102

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
process where host.os.type == "macos" and event.type in ("start", "process_started") and
  (
    process.name : "mount_smbfs" or
    (process.name : "open" and process.args : "smb://*") or
    (process.name : "mount" and process.args : "smbfs") or
    (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*")
  ) and
  not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive"

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback