Suspicious New-PSDrive to Admin Share
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Sigma rule (View on GitHub)
1title: Suspicious New-PSDrive to Admin Share
2id: 1c563233-030e-4a07-af8c-ee0490a66d3a
3status: test
4description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
7 - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
8author: frack113
9date: 2022/08/13
10tags:
11 - attack.lateral_movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 category: ps_script
16 definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18 selection:
19 ScriptBlockText|contains|all:
20 - 'New-PSDrive'
21 - '-psprovider '
22 - 'filesystem'
23 - '-root '
24 - '\\\\'
25 - '$'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
The New-PSDrive cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such as a network drive, a directory on the local computer, or a registry key, and persistent Windows mapped network drives that are associated with a file system location on a remote computer. Temporary drives exist only in the current PowerShell session and in sessions that you create in the current session. They can have any name that is valid in PowerShell and can be mapped to any local or remote resource. You can use temporary PowerShell drives to access data in the associated data store, just as you would do with any mapped network drive. You can change locations into the drive, by using Set-Location, and access the contents of the drive by using Get-Item or Get-ChildItem. Because temporary drives are known only to PowerShell, you can't access them by using File Explorer, Windows Management Instrumentation (WMI), Component Object Model (COM), Microsoft .NET Framework, or with tools such as net use. The following features were added to New-PSDrive in PowerShell 3.0: Mapped network drives. You can use the Persist parameter of New-PSDrive to create Windows mapped network drives. Unlike temporary PowerShell drives, Windows mapped network drives aren't session-specific. They're saved in Windows and they can be managed by using standard Windows tools, such as File Explorer and net use. Mapped network drives must have a drive-letter name and be connected to a remote file system location. When your command is scoped locally, no dot-sourcing, the Persist parameter doesn't persist the creation of a PSDrive beyond the scope in which the command is running. If you're running New-PSDrive inside a script, and you want the drive to persist indefinitely, you must dot-source the script. For best results, to force a new drive to persist indefinitely, add the Scope parameter to your command, and set its value to Global. For more information about dot-sourcing, see about_Scripts. External drives. When an external drive is connected to the computer, PowerShell automatically adds a PSDrive to the file system that represents the new drive. You don't have to restart PowerShell. Similarly, when an external drive is disconnected from the computer, PowerShell automatically deletes the PSDrive that represents the removed drive. Credentials for Universal Naming Convention (UNC) paths. When the value of the Root parameter is a UNC path, such as \\Server\Share, the credential specified in the value of the Credential parameter is used to create the PSDrive. Otherwise, Credential isn't effective when you're creating new file system drives. Some code samples use splatting to reduce the line length and improve readability. For more information, see about_Splatting. Note Unless you use the Scope parameter, PSDrives are created in the scope in which the New-PSDrive command is run.
Read More
Related rules
- Metasploit Or Impacket Service Installation Via SMB PsExec
- SMB Create Remote File Admin Share
- Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
- Default Impacket Service Creation Via Registry Keys (RedCanary Threat Detection Report)
- File Writes Within Admin Shares (RedCanary Threat Detection Report)