Network Share Discovery (T1135)
Network Share Discovery [T1135]
Last updated
Network Share Discovery [T1135]
Last updated
Name: Network Share Discovery
ID: T1135
Tactics:
Network Share Discovery (MITRE ATT&CK Technique ID: T1135) refers to adversaries enumerating shared network resources to identify available file shares, folders, or printers within an organization's internal network. Attackers leverage this technique to locate valuable information, identify additional targets, and facilitate lateral movement. Recognized within the MITRE ATT&CK framework, this technique is categorized under the "Discovery" tactic, focusing specifically on gathering information about networked systems and resources.
Network Share Discovery involves systematically identifying and enumerating shared resources available on remote systems within a network. Attackers utilize various built-in operating system tools, custom scripts, or third-party utilities to identify accessible shares and resources.
Common technical execution methods include:
Windows Environment:
Built-in commands such as net view, net share, and net use to enumerate accessible shares.
Utilizing PowerShell commands like Get-SmbShare, Get-NetShare, or scripts leveraging Windows Management Instrumentation (WMI) to enumerate network resources.
Leveraging SMB (Server Message Block) protocol scanning tools like SMBMap, SMBClient, or custom scripts to discover and enumerate SMB shares.
Linux/Unix Environment:
Using tools such as smbclient to list SMB shares hosted on Windows or Samba servers.
Leveraging Nmap scripts (e.g., smb-enum-shares) to automate discovery of SMB shares across multiple hosts.
Employing custom scripts or manual enumeration techniques via command-line utilities to identify NFS (Network File System) shares (showmount command).
Mechanisms behind this technique:
SMB protocol enumeration requests to target hosts.
Network scanning and probing to identify open ports (TCP 139, TCP 445 for SMB).
Authentication attempts (anonymous or credential-based) to enumerate shares and permissions.
Real-world procedures observed:
Attackers often perform initial enumeration anonymously to identify publicly accessible shares.
Once credentials are compromised, adversaries enumerate shares to locate sensitive data or administrative resources.
Enumerated shares can provide attackers with insights into network topology, system roles, and potential pivot points for lateral movement.
Network Share Discovery is commonly observed across various attack stages and scenarios:
Initial Reconnaissance:
Attackers perform enumeration to gather information about available resources and potential entry points within a network.
Anonymous enumeration to identify misconfigured or publicly accessible shares.
Lateral Movement:
After initial compromise, adversaries enumerate network shares to identify sensitive data, credentials, or configuration files.
Attackers leverage discovered shares to pivot to additional systems within the network.
Data Exfiltration:
Attackers identify and access network shares containing sensitive information, intellectual property, or personally identifiable information (PII) for exfiltration purposes.
Privilege Escalation:
Identifying improperly secured administrative shares (ADMIN$, C$) facilitates gaining higher privileges or further compromise of target systems.
Detection of Network Share Discovery involves monitoring and analyzing specific network activities, logs, and behaviors:
Endpoint and Host-Based Monitoring:
Monitor execution of enumeration commands (net view, net share, PowerShell SMB commands).
Detect anomalous usage of administrative tools or utilities not typically used by regular users.
Network Traffic Analysis:
Detect anomalous SMB scanning activity, such as high-volume SMB requests or scanning multiple hosts in rapid succession.
Identify unusual SMB enumeration attempts, especially anonymous or failed authentication attempts.
Logging and SIEM Solutions:
Analyze Windows Event Logs (Event IDs 5140, 5145) indicating access to network shares.
Monitor authentication logs for unusual patterns of anonymous or failed SMB authentication attempts.
Use centralized log management (SIEM) to correlate SMB enumeration events across multiple systems.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS):
Deploy IDS/IPS signatures that detect SMB enumeration and scanning activities (e.g., Snort rules).
Monitor alerts generated by IDS/IPS indicating suspicious SMB enumeration behavior.
Indicators of Compromise (IoCs):
Unusual execution patterns of net commands (net view, net share, net use) or PowerShell SMB enumeration cmdlets.
High volume of SMB traffic originating from a single host or user account.
Multiple failed SMB authentication attempts across network shares.
Suspicious access attempts to sensitive or administrative shares (ADMIN$, C$, IPC$).
Early detection of Network Share Discovery is critical due to the potential impacts and risks posed to organizations:
Facilitation of Lateral Movement:
Attackers use discovered shares to pivot and compromise additional systems, escalating the severity and scope of attacks.
Data Exfiltration:
Sensitive data stored on network shares (e.g., intellectual property, financial data, customer information) can be identified, accessed, and exfiltrated by attackers.
Privilege Escalation:
Attackers gaining access to administrative shares or sensitive configuration files can escalate privileges, significantly increasing attack severity.
Operational Disruption:
Unauthorized access or modification of shared resources could lead to operational disruption, data corruption, or denial of service.
Regulatory and Compliance Risks:
Failure to detect and respond to unauthorized access to sensitive information stored on network shares may result in regulatory fines, legal actions, and reputational damage.
Early detection enables timely response, containment, and mitigation efforts, significantly reducing potential damage and preventing attackers from achieving their objectives.
Real-world examples illustrating the use of Network Share Discovery:
WannaCry Ransomware Attack (2017):
Attackers utilized SMB enumeration to identify vulnerable systems and network shares.
Leveraged SMB vulnerabilities (EternalBlue exploit) to propagate laterally, encrypting data stored on network shares, and causing widespread disruption.
NotPetya Attack (2017):
Attackers conducted SMB enumeration to discover accessible shares and propagate malware rapidly across internal networks.
Malware leveraged SMB vulnerabilities and administrative shares to spread internally, causing significant operational and financial impacts globally.
APT29 (Cozy Bear) Campaigns:
Advanced Persistent Threat (APT) group observed conducting SMB enumeration to identify sensitive data repositories and administrative resources.
Enumerated network shares to exfiltrate sensitive information, intellectual property, and intelligence data.
Commonly used tools observed in real-world scenarios:
SMBMap:
Python-based tool designed for SMB enumeration, share discovery, and permission analysis.
smbclient (Linux/Unix):
Command-line utility used for enumerating SMB shares and interacting with SMB servers.
Nmap SMB scripts:
Scripts such as smb-enum-shares automate SMB enumeration across multiple hosts.
PowerShell scripts:
Custom scripts leveraging built-in PowerShell cmdlets for SMB enumeration and analysis.
Impacts observed in real-world attacks:
Rapid lateral movement across internal networks.
Large-scale data exfiltration of sensitive and confidential information.
Significant operational disruption and financial losses due to ransomware attacks.
Regulatory fines, legal actions, and reputational damage resulting from unauthorized access to sensitive data.