sigmalowHunting

Suspicious Get Information for SMB Share

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

MITRE ATT&CK

T1069.001

discovery

Detection Query

selection:
  ScriptBlockText|contains: get-smbshare
condition: selection

Author

frack113

Created

2021-12-15

Data Sources

windowsps_script

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md

Tags

attack.discoveryattack.t1069.001

Raw Content

title: Suspicious Get Information for SMB Share
id: 95f0643a-ed40-467c-806b-aac9542ec5ab
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
    a precursor for Collection and to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: get-smbshare
    condition: selection
falsepositives:
    - Unknown
level: low