Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Sigma rule (View on GitHub)
1title: Suspicious Get Information for SMB Share - PowerShell Module
2id: 6942bd25-5970-40ab-af49-944247103358
3status: test
4description: |
5 Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
6 to identify potential systems of interest for Lateral Movement.
7 Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
10author: frack113
11date: 2021-12-15
12modified: 2022-12-02
13tags:
14 - attack.discovery
15 - attack.t1069.001
16logsource:
17 product: windows
18 category: ps_module
19 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
20detection:
21 selection:
22 - Payload|contains: get-smbshare
23 - ContextInfo|contains: get-smbshare
24 condition: selection
25falsepositives:
26 - Administrator script
27level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Local Groups Discovery - Linux