# T1135 Network Share Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 

File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * macOS

  * Windows

  * Linux

### Adversary Required Permissions:

  * User

### Data Sources:

  * **Process:** Process Creation

  * **Process:** OS API Execution

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used tools such as [NBTscan](https://attack.mitre.org/software/S0590) to enumerate network shares.(Citation: TrendMicro Tonto Team October 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has discovered network disks mounted to the system using netstat.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net share</code> and <code>net view</code> to identify network shares of interest.(Citation: NCC Group Chimera January 2021)| 
| DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) scanned the network for public shared folders.(Citation: Securelist DarkVishnya Dec 2018)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used the “net view” command to locate mapped network shares.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)| 
| APT41 |  [APT41](https://attack.mitre.org/groups/G0096) used the <code>net share</code> command as part of network reconnaissance.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used the post exploitation tool [CrackMapExec](https://attack.mitre.org/software/S0488) to enumerate network shares.(Citation: BitDefender Chafer May 2020)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has enumerated network shares on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>netview</code> to scan target systems for shared resources.(Citation: TrendMicro TropicTrooper 2015)| 
| Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) listed remote shared drives that were accessible from a victim.(Citation: Symantec Sowbug Nov 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used the <code>net view</code> command to show all shares available, including the administrative shares such as <code>C$</code> and <code>ADMIN$</code>.(Citation: Cybereason Cobalt Kitty 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.(Citation: US-CERT TA18-074A)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) listed connected network shares.(Citation: Mandiant APT1)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1135)

  * [Capec](https://capec.mitre.org/data/definitions/643.html)

  * [Wikipedia Shared Resource](https://en.wikipedia.org/wiki/Shared_resource), Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.

  * [Technet Shared Folder](https://technet.microsoft.com/library/cc770880.aspx), Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will query network shares to discover victim infrastructure.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla	
- Empire can find shared drives on the local system.

#### APT28	
- Koadic can scan local network for open SMB.
- Zebrocy identifies network drives when they are added to victim systems.

#### APT29	
- Cobalt Strike can query shared drives on the local system.

## Detection Blindspots

- Custom tools may conceal themselves from these analytics.

## Analytical References

  * [Atomic Red Team T1135 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md)
  * [A Slice of 2017 Sofacy Activity (securelist)](https://securelist.com/a-slice-of-2017-sofacy-activity/83930/)
  * [TTP Reports (cobaltstrike)](https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information.


#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : net.exe or net1.exe AND process.command_line : *view* or *share*```
  * **Query:** ```process.name : wmic.exe AND process.command_line : *net* or *share*```

#### Analytic 2

  * **Information:** Look in the message or script block text for cmdlets used (i,e, Get-SmbShare)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.code : 4104```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

