Invoke-ShareFinder Script Block Execution

 1title: Invoke-ShareFinder Script Block Execution
 2id: 5e93e240-5484-458a-9663-18157e01e897
 3status: experimental
 4description: |
 5        Use of Invoke-ShareFinder detected via PowerShell Script Block logging
 6references:
 7    - https://thedfirreport.com/2023-01-23/sharefinder-how-threat-actors-discover-file-shares/
 8    - https://powersploit.readthedocs.io/en/stable/Recon/README/
 9
10author: "The DFIR Report"
11date: 2023-01-23
12modified: 2025-02-07
13tags:
14    - attack.discovery
15    - attack.t1135
16    - dist.public
17logsource:
18    product: windows
19    service: powershell
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains: 'Invoke-ShareFinder'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

• ShareFinder: How Threat Actors Discover File Shares

  

  Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all thre…

  
  Read More

• README - PowerSploit

  To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default p...

  
  Read More

Related rules

• Invoke-ShareFinder Module Load Detection
• NetScan Share Enumeration Write Access Check
• Viewing remote directories
• File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
• PUA - Advanced IP Scanner Execution