- This script identifies files that are copied to a remote host over smb2. It does this by looking at the number in the request$disposition field in the smb2 create request packet. If the number is 2 (FILE_CREATE), 4 (FILE_OVERWRITE) or 5 (FILE_OVERWRITE_IF), it will trigger and write to the notice.log with the file name that may have been copied over. If the user wants, they can add an additional section that looks only for certain file extensions being copied over eg, .bat, .exe, .dll, etc.
for additional information, please review the CreateDisposition section at https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/e8fb45c1-a03d-44ca-b7ae-47385cfd7997.