Find sigma rule

Attack: Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

MITRE

Tactic

collection

technique

T1039

OS

windows

Description:

Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073

Executor

powershell

Sigma Rule

proc_creation_win_susp_copy_lateral_movement.yml (id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900)
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test

Attack: Data from Network Shared Drive

MITRE

Tactic

technique

OS

Description:

Executor

Sigma Rule

Attack: Data from Network Shared Drive

MITRE

Tactic

technique

Test : Copy a sensitive File over Administrative share with Powershell

OS

Description:

Executor

Sigma Rule