PowerShell Share Enumeration Script

  1[metadata]
  2creation_date = "2022/08/17"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell scripts that use ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or Windows
 11share enumeration APIs (shi1_netname/shi1_remark with NetShareEnum/NetApiBufferFree). Attackers use share enumeration to
 12map accessible network shares for collection, lateral movement, or ransomware targeting.
 13"""
 14from = "now-9m"
 15index = ["logs-windows.powershell*", "winlogbeat-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "PowerShell Share Enumeration Script"
 19references = [
 20    "https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations",
 21    "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/",
 22    "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md",
 23]
 24risk_score = 73
 25rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6"
 26severity = "high"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Discovery",
 32    "Resources: Investigation Guide",
 33    "Data Source: PowerShell Logs",
 34]
 35timestamp_override = "event.ingested"
 36type = "query"
 37
 38query = '''
 39event.category:process and host.os.type:windows and
 40  powershell.file.script_block_text:(
 41    "Invoke-ShareFinder" or
 42    "Invoke-ShareFinderThreaded" or
 43    (
 44      "shi1_netname" and
 45      "shi1_remark"
 46    ) or
 47    (
 48      "NetShareEnum" and
 49    "NetApiBufferFree"
 50    )
 51  ) and not user.id : "S-1-5-18"
 52'''
 53
 54note = """## Triage and analysis
 55
 56### Investigating PowerShell Share Enumeration Script
 57
 58#### Possible investigation steps
 59
 60- Does the reconstructed script block show active share enumeration or only helper code loading?
 61  - Why: PowerView-style modules can define functions before invocation, so a function name alone is weaker than target selection, loops, output handling, or access checks.
 62  - Focus: reconstruct the script with `powershell.file.script_block_id` + `powershell.sequence` + `powershell.total` on the same `host.id`, then inspect `powershell.file.script_block_text` for ShareFinder calls, NetShareEnum wrappers, and share result fields such as "shi1_netname" or "shi1_remark". $investigate_0
 63  - Implication: escalate when reconstruction shows active enumeration, target lists, loops, share output, or access testing; lower concern when it only defines helper code and no later invocation appears. Missing fragments keep intent unresolved, not benign.
 64
 65- Can the PowerShell launch context be recovered?
 66  - Why: script block events preserve code; command line and parentage require a matching process event.
 67  - Focus: when endpoint process telemetry exists, recover the matching process via `host.id` + `process.pid` before using `process.*` or `process.parent.*`; review `process.command_line`, `process.parent.executable`, and session type. $investigate_1
 68  - Hint: anchor returned process starts to `@timestamp`; empty, multiple, or distant PID matches keep launch context unresolved.
 69  - Implication: escalate when the launcher is a document, script host, remote session, scheduled task, or user-writable path; lower concern when launcher, arguments, and session type match the same script path, target scope, and user/host anchors for a recurring inventory or storage-audit job. If endpoint process telemetry is missing, continue with script content, source path, user/host anchors, and related-alert scope instead of closing.
 70
 71- Does the script widen discovery with broad targets, threading, or access checks?
 72  - Focus: reconstructed `powershell.file.script_block_text` for threading, host/domain lists, access-check options, ADMIN$ testing, ping suppression, delay/jitter, credential objects, or loops over many hosts or shares.
 73  - Implication: escalate when the script uses threading, access checks, alternate credentials, broad domain or host-list discovery, or ADMIN$ testing; lower concern when the target set is tightly bounded to one recognized inventory, access-review, or storage-audit task.
 74
 75- Are source or output artifacts risky?
 76  - Focus: source path when present, fileless execution, output redirection/export, target/share arrays or excluded-share logic, and same-host/user file events for surrounding output or staging artifacts. $investigate_4
 77  - Implication: escalate when execution is fileless or sourced from temp, downloads, mounted shares, or user-writable paths; also escalate when the script writes reusable share results, prioritizes ADMIN$ or accessible shares, or builds target lists for collection or ransomware staging. Lower concern only when a stable admin repository path, transient output, script content, and user/host anchors all match one bounded recurring workflow. Path alone does not clear the behavior.
 78
 79- Do the user and host anchors fit the expected administrative scope?
 80  - Focus: user identity, host identity, reconstructed target scope, and recovered launch context.
 81  - Implication: escalate when a non-admin user, unusual service account, workstation, or unexpected host performs broad share discovery; lower concern when the same user and host anchors match the bounded management cohort, script path, and target set shown by local evidence.
 82
 83- If local findings stay suspicious or unresolved, does the same share-discovery pattern change scope?
 84  - Focus: related alerts for `user.id` carrying the same ShareFinder/API-wrapper, access-check, or target-list pattern, plus same-host/user network events for SMB or file-server activity when script content suggests access testing or follow-on collection. $investigate_2 $investigate_5
 85  - Hint: if user scope is inconclusive, check related alerts for the same `host.id` before widening beyond this host. $investigate_3
 86  - Hint: network events need destination or share corroboration before they prove access or collection; missing network telemetry is unresolved, not benign.
 87  - Implication: broaden when the same script pattern, operator account, or host appears in unrelated share-discovery alerts; keep the case local when it stays confined to one `host.id`, one `user.id`, one script/source pattern, and one bounded target set.
 88
 89- Escalate when reconstructed content, discovery breadth, access-check markers, source/output pattern, recovered launcher context, or user/host scope show unauthorized share discovery; close only when those categories bind to one recognized workflow with no contradictory evidence; preserve and escalate when evidence is mixed or incomplete.
 90
 91### False positive analysis
 92
 93- PowerView's Invoke-ShareFinder and raw P/Invoke NetShareEnum wrappers with shi1_netname/shi1_remark are offensive tooling patterns with near-zero legitimate administrative use. Legitimate share inventory uses built-in cmdlets (Get-SmbShare, net share) or management platforms, not these APIs. Close as benign true positive only for confirmed authorized red-team, penetration testing, or security validation where reconstructed script content, `user.id`, `host.id`, test-engagement scope, and recovered launch context all align. Do not close on an IT-administration claim when the script uses these specific offensive patterns.
 94
 95### Response and remediation
 96
 97- If confirmed benign, reverse any temporary containment and record the script owner, source path or recurring fileless content, expected `user.id`, expected `host.id`, target scope, and recovered launch context when available. Create a narrow exception only after the local evidence is confirmed and prior alerts, when present, show the same stable workflow.
 98- If suspicious but unconfirmed, preserve the reconstructed `powershell.file.script_block_text`, all fragments linked by `powershell.file.script_block_id`, alert process PID, recovered process record when available, source path, output or target/share list, `user.id`, and `host.id` before containment. Apply reversible containment first: heightened monitoring, temporary SMB restrictions from the affected host to named servers/shares, or temporary restrictions for the implicated account when access testing or credential misuse is indicated. Escalate to host isolation or stronger credential actions only if access testing, staging, or credential misuse is confirmed and host criticality permits it.
 99- If confirmed malicious, isolate the host or restrict the account only after preserving the reconstructed script, recovered launch context, source/output artifacts, and target/share list. Review the named servers, shares, accounts, and related alerts for the same indicators before deleting scripts, killing processes, or resetting credentials; remove malicious scripts, scheduled tasks, or credential material only after scope is complete.
100- Post-incident hardening: keep PowerShell script block logging enabled, restrict unsigned or user-writable PowerShell execution on management hosts where feasible, retain endpoint and file-server telemetry needed to confirm share access, and record the confirmed workflow or malicious server/share list for future triage.
101"""
102
103setup = """## Setup
104
105PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
106Setup instructions: https://ela.st/powershell-logging-setup
107"""
108
109[rule.investigation_fields]
110field_names = [
111    "@timestamp",
112    "user.name",
113    "user.id",
114    "user.domain",
115    "powershell.file.script_block_text",
116    "powershell.file.script_block_id",
117    "powershell.sequence",
118    "powershell.total",
119    "file.path",
120    "file.directory",
121    "file.name",
122    "process.pid",
123    "host.name",
124    "host.id",
125    "powershell.file.script_block_length"
126]
127
128[transform]
129
130[[transform.investigate]]
131label = "Script block fragments for the same script"
132description = ""
133providers = [
134  [
135    { excluded = false, field = "powershell.file.script_block_id", queryType = "phrase", value = "{{powershell.file.script_block_id}}", valueType = "string" },
136    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
137  ]
138]
139relativeFrom = "now-1h"
140relativeTo = "now"
141
142[[transform.investigate]]
143label = "Process events for the PowerShell instance"
144description = ""
145providers = [
146  [
147    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
149    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
150    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
151  ]
152]
153relativeFrom = "now-1h"
154relativeTo = "now"
155
156[[transform.investigate]]
157label = "Alerts associated with the user"
158description = ""
159providers = [
160  [
161    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
162    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
163  ]
164]
165relativeFrom = "now-48h/h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "Alerts associated with the host"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-48h/h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "Same host and user file events"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
188  ]
189]
190relativeFrom = "now-1h"
191relativeTo = "now"
192
193[[transform.investigate]]
194label = "Same host and user network events"
195description = ""
196providers = [
197  [
198    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
199    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
200    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
201  ]
202]
203relativeFrom = "now-1h"
204relativeTo = "now"
205
206[[rule.threat]]
207framework = "MITRE ATT&CK"
208[[rule.threat.technique]]
209id = "T1135"
210name = "Network Share Discovery"
211reference = "https://attack.mitre.org/techniques/T1135/"
212
213[rule.threat.tactic]
214id = "TA0007"
215name = "Discovery"
216reference = "https://attack.mitre.org/tactics/TA0007/"
217[[rule.threat]]
218framework = "MITRE ATT&CK"
219[[rule.threat.technique]]
220id = "T1059"
221name = "Command and Scripting Interpreter"
222reference = "https://attack.mitre.org/techniques/T1059/"
223[[rule.threat.technique.subtechnique]]
224id = "T1059.001"
225name = "PowerShell"
226reference = "https://attack.mitre.org/techniques/T1059/001/"
227
228[[rule.threat.technique]]
229id = "T1106"
230name = "Native API"
231reference = "https://attack.mitre.org/techniques/T1106/"
232
233[rule.threat.tactic]
234id = "TA0002"
235name = "Execution"
236reference = "https://attack.mitre.org/tactics/TA0002/"
237[[rule.threat]]
238framework = "MITRE ATT&CK"
239[[rule.threat.technique]]
240id = "T1039"
241name = "Data from Network Shared Drive"
242reference = "https://attack.mitre.org/techniques/T1039/"
243
244[rule.threat.tactic]
245id = "TA0009"
246name = "Collection"
247reference = "https://attack.mitre.org/tactics/TA0009/"