Post-compromise, threat actors are using the Server Message Block (SMB) protocol to move laterally and carry out their objectives. How does an organization go about detecting this activity designed to blend in with normal traffic? Enabling Windows event logs to audit access to file shares may assist in detection. However, sifting through the sheer volume of logs created during normal day to day operations is not ideal. Actors may also move malware from share to share, undetected by an organization’s particular anti-virus solution. Bro Network Security Monitor provides the functionality and flexibility needed to detect some of these techniques on the wire. This session is designed to show defenders the capability of Bro to detect malicious SMB activity, specifically during lateral movement. The scripts and examples introduced can be used right away in environments with Bro deployed.