Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Sigma rule (View on GitHub)
1title: Suspicious Get Information for SMB Share
2id: 95f0643a-ed40-467c-806b-aac9542ec5ab
3status: test
4description: |
5 Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
6 a precursor for Collection and to identify potential systems of interest for Lateral Movement.
7 Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
10author: frack113
11date: 2021-12-15
12modified: 2022-12-25
13tags:
14 - attack.discovery
15 - attack.t1069.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains: get-smbshare
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AD Groups Or Users Enumeration Using PowerShell - PoshModule
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Local Groups Discovery - Linux