EXPLORE
Sign In
← Back to Explore
T1135

Network Share Discovery

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Fol...

LinuxmacOSWindows
20
Detections
4
Sources
16
Threat Actors

BY SOURCE

8splunk_escu5sigma4crowdstrike_cql3elastic

PROCEDURES (12)

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Powershell1 detections

Auto-extracted: 1 detections for powershell

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Api1 detections

Auto-extracted: 1 detections for api

Api1 detections

Auto-extracted: 1 detections for api

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (16)

APT1APT32APT38APT39APT41BlackByteChimeraDarkVishnyaDragonflyFIN13INC RansomMedusa GroupSowbugTonto TeamTropic TrooperWizard Spider

DETECTIONS (20)

Advanced IP or Port Scanner Execution
splunk_escu
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
sigmahigh
HackTool - SharpView Execution
sigmahigh
Lateral Movement Detection
crowdstrike_cql
Lateral Movement Detection
crowdstrike_cql
MacOS Network Share Discovery
splunk_escu
Manual Mount Discovery via /etc/exports or /etc/fstab
elasticmedium
Net.EXE Execution
sigmalow
Network Share Discovery Via Dir Command
splunk_escu
PowerShell Share Enumeration Script
elastichigh
PowerShell Suspicious Discovery Related Windows API Functions
elasticlow
PUA - Advanced IP Scanner Execution
sigmamedium
PUA - Advanced Port Scanner Execution
sigmamedium
SMB Enumeration | Defender for Identity
crowdstrike_cql
SMB Enumeration | Defender for Identity
crowdstrike_cql
Windows Administrative Shares Accessed On Multiple Hosts
splunk_escu
Windows File Share Discovery With Powerview
splunk_escu
Windows Large Number of Computer Service Tickets Requested
splunk_escu
Windows Network Share Interaction Via Net
splunk_escu
Windows Special Privileged Logon On Multiple Hosts
splunk_escu