Find sigma rule
Attack: Data from Network Shared Drive
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
MITRE
Tactic
- collection
technique
- T1039
Test : Copy a sensitive File over Administrative share with Powershell
OS
- windows
Description:
Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_copy_lateral_movement.yml (id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900)
-
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)