T1039: Data from Network Shared Drive

Data from MITRE ATT&CK®:

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Network Share Access (Network Share)

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

File Access (File)

Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)

Copy a sensitive File over Administrative share with copy

windows

Copy a sensitive File over Administrative share with Powershell

windows

Copy From Or To Admin Share Or Sysvol Folder

windows process creation

Suspicious Access to Sensitive File Extensions

windows