A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)[1]
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
Data Collection Measures:
auditpol /set /subcategory:"File Share" /success:enable /failure:enableSet-ExecutionPolicy RemoteSignedComputer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment Set "Access this computer from the network" to restrict unauthorized accounts.open, read, write, connect syscalls) Detects access to NFS, CIFS, and SMB network shares.lsof | grep nfs or lsof | grep smb) Identifies active network share connections.mount | grep nfs or mount | grep cifs) Lists currently mounted network shares.auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_accessnetstat -an | grep :445Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
Data Collection Measures:
auditpol /set /subcategory:"File Share" /success:enable /failure:enableSet-ExecutionPolicy RemoteSignedComputer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment Set "Access this computer from the network" to restrict unauthorized accounts.open, read, write, connect syscalls) Detects access to NFS, CIFS, and SMB network shares.lsof | grep nfs or lsof | grep smb) Identifies active network share connections.mount | grep nfs or mount | grep cifs) Lists currently mounted network shares.auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_accessnetstat -an | grep :445| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact |
Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. |
|
| ICS | T0811 | Data from Information Repositories |
In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. |
|
| Enterprise | T1039 | Data from Network Shared Drive |
Monitor for unexpected and abnormal accesses to network shares. |
|
| Enterprise | T1570 | Lateral Tool Transfer |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB. |
|
| ICS | T0867 | Lateral Tool Transfer |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB). |
|
| Enterprise | T1021 | Remote Services |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). |
|
| .002 | SMB/Windows Admin Shares |
Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).
|
||
| ICS | T0886 | Remote Services |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques. |
|
| Enterprise | T1080 | Taint Shared Content |
Monitor for unexpected and abnormal accesses to network shares, especially those also associated with file activity. Monitor access to shared network directories to detect unauthorized or suspicious access, especially from unfamiliar accounts or at unusual times.Identify potential attempts to access hidden files or unusual file types within the directory.
|
|