Invoke-ShareFinder Discovery Activity

calendar Feb 23, 2024 · attack.discovery attack.t1135  ·
Share on: linkedin copy

Use of Invoke-ShareFinder detected via PowerShell logging

Sigma rule (View on GitHub)

 1title: Invoke-ShareFinder Discovery Activity
 2id: fbedfe8c-3e02-4f3c-b521-4b83d5054fd1
 3status: experimental
 4description: |
 5        Use of Invoke-ShareFinder detected via PowerShell logging
 6references:
 7    - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares
 8    - https://powersploit.readthedocs.io/en/stable/Recon/README/
 9
10author: TheDFIRReport
11date: 2023-01-22
12modified: 2024-02-23
13tags:
14    - attack.discovery
15    - attack.t1135
16logsource:
17    product: windows
18    category: ps_module
19    definition: 'Requirements: PowerShell Module Logging must be enabled'
20detection:
21    selection_4103:
22        Payload|contains: 'Invoke-ShareFinder'
23    condition: selection_4103
24falsepositives:
25    - Unknown
26level: High

References

  • ShareFinder: How Threat Actors Discover File Shares

    Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all thre…


    Read More

  • README - PowerSploit

    To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default p...


    Read More

Related rules

to-top