Hunt Type 🔥

{"Flames (Hypothesis-Driven)"=>"Based on assumptions about adversary behavior or specific activities."}

HEARTH Crafter

Oussama AZRARA

Hunt Idea / Hypothesis

Adversaries may search for network shares on compromised systems to locate files of interest. Sensitive data can be gathered from remote systems via shared network drives (host-shared directories, network file servers, etc.) that are accessible from the current system before exfiltration.

MITRE ATT&CK Tactic

Collection

Implementation Notes

Data requirements: EDR telemetry, Windows event logs id 5140
Implementation examples in SIGMA:

title: Suspicious Network Share Enumeration and Access id: xxxxx status: test description: Detects commands used for network share enumeration and correlates with Event ID 5140 for access to shared resources. author: Your Name date: 2024/11/14 tags:

attack.discovery
attack.t1135 logsource: category: process_creation product: windows detection: selection_cmd: Image|endswith:
- '\cmd.exe'
- '\powershell.exe' CommandLine|contains|all:
- 'net view'
- '\' selection_event: EventID: 5140 condition: selection_cmd or selection_event falsepositives:
Legitimate administrative tasks
Regular file-sharing activities level: medium

Search Tags

collection #DatafromNetworkSharedDrive

Value and Impact

Hunting for adversarial activity involving network share exploration on compromised systems is crucial for detecting potential data theft early. By monitoring access to shared network drives and tracking unusual usage of command shell functions, defenders can identify attempts to locate and collect sensitive data before it is exfiltrated.

triw0lf / HEARTH

Suspicious access to network shares #12