# T1080 Taint Shared Content

-----------------------------------------------------------------------

## Technique Description


Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.

A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)

Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

## Technique Detection

Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.

Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.

-----------------------------------------------------------------------

### Tactics:

  *   Lateral-Movement

### Platforms:

  * Windows

  * Office 365

  * SaaS

  * Linux

  * macOS

### Adversary Required Permissions:

  * User

### System Requirements:

  * Access to shared folders and content with write permissions

### Data Sources:

  * **Process:** Process Creation

  * **File:** File Creation

  * **File:** File Modification

  * **Network Share:** Network Share Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has placed malware on file shares and given it the same name as legitimate documents on the share.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has injected malicious macros into all Word and Excel documents on mapped network drives.(Citation: ESET Gamaredon June 2020)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) used a virus that propagates by infecting executables stored on shared drives.(Citation: Kaspersky Darkhotel)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1080)

  * [Capec](https://capec.mitre.org/data/definitions/562.html)

  * [Retwin Directory Share Pivot](https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html), Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Abusing User Shares for Efficient (blogspot)](https://rewtin.blogspot.com/2017/11/abusing-user-shares-for-efficient.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Processes that write or overwrite many files to a network shared directory may be suspicious.
- Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.
- Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typically exist in directories used to share specific types of content.
- Audit process tracking and create use cases based on sensitives MS signed binaries usage (mshta, powershell, rundll32...)

#### Analytic 1

  * **Information:** Monitor creation of .lnk files. Verify where these lnk files are going to.

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** Hidden items that match real directories could contains links to malicious content.
      - i.e. when a user clicks on a fake directory:
        - user can access real directory
        - malware is executed locally
      - Example:
        - Directory lnk command line arguments: .\Windows\system32\cmd.exe /c start explorer.exe "Intel" & type "3b5a5b29263677d600.exe" > "%temp%\3b5a5b29263677d600.exe" && "%temp%\3b5a5b29263677d600.exe" 

  * **Query:** ```event.code : 11 and TargetFilename : *.lnk```

#### Analytic 2

  * **Information:** Infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 11 and TargetFilename : *.lnk or *.exe or *.dll or *.scr or *.bat or *.vbs```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

