Invoke-ShareFinder Discovery Activity
Use of Invoke-ShareFinder detected via PowerShell Script Block logging
Sigma rule (View on GitHub)
1title: Invoke-ShareFinder Discovery Activity
2id: 5e93e240-5484-458a-9663-18157e01e897
3status: experimental
4description: |
5 Use of Invoke-ShareFinder detected via PowerShell Script Block logging
6references:
7 - https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
8 - https://powersploit.readthedocs.io/en/stable/Recon/README/
9
10author: TheDFIRReport
11date: 2023-01-23
12modified: 2024-02-23
13tags:
14 - attack.discovery
15 - attack.t1135
16logsource:
17 product: windows
18 service: powershell
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains: 'Invoke-ShareFinder'
23 condition: selection
24falsepositives:
25 - Unknown
26level: High
References
-
Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all … Read More
Read More -
To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default p...
Read More
Related rules
- Invoke-ShareFinder Discovery Activity
- NetScan Share Enumeration Write Access Check
- HackTool - SharpView Execution
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution