Invoke-ShareFinder Module Load Detection

 1title: Invoke-ShareFinder Module Load Detection
 2id: fbedfe8c-3e02-4f3c-b521-4b83d5054fd1
 3status: experimental
 4description: |
 5        Use of Invoke-ShareFinder detected via PowerShell logging
 6references:
 7    - https://thedfirreport.com/2023-01-23/sharefinder-how-threat-actors-discover-file-shares
 8    - https://powersploit.readthedocs.io/en/stable/Recon/README/
 9
10author: "The DFIR Report"
11date: 2023-01-22
12modified: 2022-02-07
13tags:
14    - attack.discovery
15    - attack.t1135
16    - dist.public
17logsource:
18    product: windows
19    category: ps_module
20    definition: 'Requirements: PowerShell Module Logging must be enabled'
21detection:
22    selection_4103:
23        Payload|contains: 'Invoke-ShareFinder'
24    condition: selection_4103
25falsepositives:
26    - Unknown
27level: high

References

• ShareFinder: How Threat Actors Discover File Shares

  

  Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all thre…

  
  Read More

• README - PowerSploit

  To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default p...

  
  Read More

Related rules

• Invoke-ShareFinder Script Block Execution
• NetScan Share Enumeration Write Access Check
• Viewing remote directories
• File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
• HackTool - SharpView Execution