Network Share

A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)[1]

ID: DS0033
Platforms: Linux, Windows, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Network Share: Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Network Share: Network Share Access

Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)

Domain ID Name Detects
Enterprise T1486 Data Encrypted for Impact

Monitor for unexpected network shares being accessed on target systems or on large numbers of systems.

ICS T0811 Data from Information Repositories

In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. For added context on adversary procedures and background see Data from Network Shared Drive.

Enterprise T1039 Data from Network Shared Drive

Monitor for unexpected and abnormal accesses to network shares.

Enterprise T1570 Lateral Tool Transfer

Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as SMB.

ICS T0867 Lateral Tool Transfer

Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).

Enterprise T1021 Remote Services

Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB).

.002 SMB/Windows Admin Shares

Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).

ICS T0886 Remote Services

Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see Remote Services and applicable sub-techniques.

Enterprise T1080 Taint Shared Content

Monitor for unexpected and abnormal accesses to network shares, especially those also associated with file activity.

References