IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Network Share Discovery
editPotential Network Share Discovery
editAdversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-windows.*
- logs-system.security*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Discovery
- Tactic: Collection
- Rule Type: BBR
- Data Source: System
Version: 106
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by user.name, source.port, source.ip with maxspan=15s
[file where event.action == "network-share-object-access-checked" and
winlog.event_data.ShareName in ("\\\\*\\ADMIN$", "\\\\*\\C$") and
source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
[file where event.action == "network-share-object-access-checked" and
winlog.event_data.ShareName in ("\\\\*\\ADMIN$", "\\\\*\\C$") and
source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Network Share Discovery
- ID: T1135
- Reference URL: https://attack.mitre.org/techniques/T1135/
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Data from Network Shared Drive
- ID: T1039
- Reference URL: https://attack.mitre.org/techniques/T1039/