A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)[1]
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact |
Monitor for unexpected network shares being accessed on target systems or on large numbers of systems. |
|
| ICS | T0811 | Data from Information Repositories |
In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. |
|
| Enterprise | T1039 | Data from Network Shared Drive |
Monitor for unexpected and abnormal accesses to network shares. |
|
| Enterprise | T1570 | Lateral Tool Transfer |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB. |
|
| ICS | T0867 | Lateral Tool Transfer |
Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB). |
|
| Enterprise | T1021 | Remote Services |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). |
|
| .002 | SMB/Windows Admin Shares |
Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB). |
||
| ICS | T0886 | Remote Services |
Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques. |
|
| Enterprise | T1080 | Taint Shared Content |
Monitor for unexpected and abnormal accesses to network shares, especially those also associated with file activity. |
|