Description
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Platforms
Threat Groups (8)
| ID | Group | Context |
|---|---|---|
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has collected data about network drives.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has collected files from network shared drives.(Citation: Cybersecurity Advisory GRU Brute Force Campai... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has collected Microsoft Office documents from mapped network drives.(Citation: ESET G... |
| G0060 | BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) has exfiltrated files stolen from file shares.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| G0054 | Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) extracted Word documents from a file server on a victim network.(Citation: Symantec Sowbug Nov 2017) |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has collected data of interest from network shares.(Citation: NCC Group Chimera January 2021) |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has collected data from remote systems by mounting network shares with <code>net use</code> and usin... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has searched network shares to access sensitive documents.(Citation: CISA AA20-259A Iran-Based Act... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0050 | CosmicDuke | Malware | [CosmicDuke](https://attack.mitre.org/software/S0050) steals user files from network shared drives with file extensions and keywords that match a pred... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) can collect any files found in the enumerated drivers before sending it to its C2 channel.(Citation... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can collect data from network drives and stage it for exfiltration.(Citation: Eset Ramsay May 2020) |
| S0128 | BADNEWS | Malware | When it first starts, [BADNEWS](https://attack.mitre.org/software/S0128) crawls the victim's mapped drives and collects documents with the following e... |
Frequently Asked Questions
What is T1039 (Data from Network Shared Drive)?
T1039 is a MITRE ATT&CK technique named 'Data from Network Shared Drive'. It belongs to the Collection tactic(s). Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory...
How can T1039 be detected?
Detection of T1039 (Data from Network Shared Drive) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1039?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1039?
Known threat groups using T1039 include: RedCurl, APT28, Gamaredon Group, BRONZE BUTLER, Sowbug, Chimera, menuPass, Fox Kitten.