ATT&CK v18 has been released! Check out the blog post or changelog for more information.

Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

ID: DC0102

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
m365:unified	FileUploaded, FileAccessed
Network Share	None
NSM:Flow	smb_files.log
WinEventLog:Microsoft-Windows-SMBClient/Security	EventCode=31001
WinEventLog:Microsoft-Windows-SMBServer	Access to SYSVOL share from non-admin user or unusual endpoints
WinEventLog:Security	EventCode=5140
WinEventLog:Security	EventCode=5145

Detection Strategy

ID	Name	Technique Detected
DET0413	Abuse of Information Repositories for Data Collection	T1213
DET0381	Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL	T1552.006
DET0367	Detect Network Logon Script Abuse via Multi-Event Correlation on Windows	T1037.003
DET0549	Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms	T1552.004
DET0754	Detection of Data from Information Repositories	T0811
DET0745	Detection of Lateral Tool Transfer	T0867
DET0071	Detection of Remote Data Staging Prior to Exfiltration	T1074.002
DET0804	Detection of Remote Services	T0886
DET0471	Detection of Tainted Content Written to Shared Storage	T1080
DET0410	Detection Strategy for Data from Network Shared Drive	T1039
DET0183	Detection Strategy for Lateral Tool Transfer across OS platforms	T1570
DET0476	Email Collection via Local Email Access and Auto-Forwarding Behavior	T1114