A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)[1]
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| ICS | T0811 | Data from Information Repositories |
In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. |
|
| ICS | T0867 | Lateral Tool Transfer |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB). |
|
| ICS | T0886 | Remote Services |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques. |
|
| Enterprise | T1039 | 从网络共享驱动器获取数据 |
Monitor for unexpected and abnormal accesses to network shares. |
|
| Enterprise | T1486 | 数据加密以实现影响 |
Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. |
|
| Enterprise | T1570 | 横向工具传输 |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB. |
|
| Enterprise | T1080 | 污染共享内容 |
Monitor for unexpected and abnormal accesses to network shares, especially those also associated with file activity. |
|
| Enterprise | T1021 | 远程服务 |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). |
|
| .002 | SMB/Windows Admin Shares |
Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB). |
||