Description
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) Net can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.
Platforms
Mitigations (1)
Operating System ConfigurationM1028
Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.(Citation: Windows Anonymous Enumeration of SAM Accounts)
Threat Groups (16)
| ID | Group | Context |
|---|---|---|
| G0131 | Tonto Team | [Tonto Team](https://attack.mitre.org/groups/G0131) has used tools such as [NBTscan](https://attack.mitre.org/software/S0590) to enumerate network sha... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used the post exploitation tool [CrackMapExec](https://attack.mitre.org/software/S0488) to enumerat... |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) scanned the network for public shared folders.(Citation: Securelist DarkVishnya Dec 2018) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used the <code>net view</code> command to show all shares available, including the administrative share... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used the <code>net share</code> command as part of network reconnaissance.(Citation: FireEye APT41 Aug... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has identified network shares using `cmd.exe /c net share`.(Citation: CISA Medusa Group Medusa R... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>net share</code> and <code>net view</code> to identify network shares of interest.(Cit... |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has enumerated network shares on a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020) |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) enumerated network shares on victim devices.(Citation: Cisco BlackByte 2024) |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has executed net view commands for enumeration of open shares on compromised machines.(Citation: Mandia... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>netview</code> to scan target systems for shared resources.(Citation: TrendMicro Tr... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used Internet Explorer to view folders on other systems.(Citation: Huntress INC Ransom Group A... |
| G0054 | Sowbug | [Sowbug](https://attack.mitre.org/groups/G0054) listed remote shared drives that were accessible from a victim.(Citation: Symantec Sowbug Nov 2017) |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has identified and browsed file servers in the victim network, sometimes , viewing files pertaining... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) listed connected network shares.(Citation: Mandiant APT1) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used the “net view” command to locate mapped network shares.(Citation: DHS/CISA Ransomware ... |
Associated Software (57)
| ID | Name | Type | Context |
|---|---|---|---|
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can check a user's access to the C$ share on a compromised machine.(Citation: BitDefender BADHATCH... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) can identify network shares connected to the victim machine.(Citation: Trustwave Black... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can scan for network drives which may contain documents for collection.(Citation: Eset Ramsay May 20... |
| S0575 | Conti | Malware | [Conti](https://attack.mitre.org/software/S0575) can enumerate remote open SMB network shares using <code>NetShareEnum()</code>.(Citation: CarbonBlack... |
| S1244 | Medusa Ransomware | Malware | [Medusa Ransomware](https://attack.mitre.org/software/S1244) has identified networked drives.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomwa... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can list local and remote shared drives and folders over SMB.(Citation: GitHub Pupy) |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can enumerate shared drives on the domain.(Citation: NCC Group Team9 June 2020) |
| S1160 | Latrodectus | Malware | [Latrodectus](https://attack.mitre.org/software/S1160) can run `C:\Windows\System32\cmd.exe /c net view /all` to discover network shares.(Citation: E... |
| S0625 | Cuba | Malware | [Cuba](https://attack.mitre.org/software/S0625) can discover shared resources using the <code>NetShareEnum</code> API call.(Citation: McAfee Cuba Apri... |
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) collects a list of network shares with the command <code>net share</code>.(Citation: Symantec Oran... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can use <code>net share</code> to identify network shares for use in lateral movement.(Citation: Tre... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can enumerate shares on a compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) has a `ENMDSKS` command to enumerates available network shares.(Citation: Fortinet Diavol July 2021)... |
| S0039 | Net | Tool | The <code>net view \\remotesystem</code> and <code>net share</code> commands in [Net](https://attack.mitre.org/software/S0039) can be used to find sha... |
| S1141 | LunarWeb | Malware | [LunarWeb](https://attack.mitre.org/software/S1141) can identify shared resources in compromised environments.(Citation: ESET Turla Lunar toolset May ... |
| S0618 | FIVEHANDS | Malware | [FIVEHANDS](https://attack.mitre.org/software/S0618) can enumerate network shares and mounted drives on a network.(Citation: NCC Group Fivehands June ... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has enumerated non-hidden network shares using `WNetEnumResourceW`. (Citation: Binary Defense Emotes... |
| S1085 | Sardonic | Malware | [Sardonic](https://attack.mitre.org/software/S1085) has the ability to execute the `net view` command.(Citation: Bitdefender Sardonic Aug 2021) |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate network shares.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Cita... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can enumerate the shared folders and associated permissions for a targeted network.(Citation: ... |
References
- Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.
- Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.
Frequently Asked Questions
What is T1135 (Network Share Discovery)?
T1135 is a MITRE ATT&CK technique named 'Network Share Discovery'. It belongs to the Discovery tactic(s). Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of inter...
How can T1135 be detected?
Detection of T1135 (Network Share Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1135?
There are 1 documented mitigations for T1135. Key mitigations include: Operating System Configuration.
Which threat groups use T1135?
Known threat groups using T1135 include: Tonto Team, APT39, DarkVishnya, APT32, APT41, Medusa Group, Chimera, APT38.