Network Share Discovery, Technique T1135 - Enterprise (original) (raw)
Akira can identify remote file shares for encryption.[3]
APT1 listed connected network shares.[4]
APT32 used the net view command to show all shares available, including the administrative shares such as C$ and ADMIN$.[5]
APT38 has enumerated network shares on a compromised host.[6]
APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.[7]
APT41 used the net share command as part of network reconnaissance.[8][9]
Avaddon has enumerated shared folders and mapped volumes.[10]
AvosLocker has enumerated shared drives on a compromised network.[11][12]
Babuk has the ability to enumerate network shares.[13]
Bad Rabbit enumerates open SMB shares on internal victim networks.[14]
BADHATCH can check a user's access to the C$ share on a compromised machine.[15]
Bazar can enumerate shared drives on the domain.[16]
BitPaymer can search for network shares on the domain or workgroup using net view .[17]
BlackByte enumerated network shares on victim devices.[18]
BlackByte 2.0 Ransomware can identify network shares connected to the victim machine.[19]
BlackByte Ransomware can identify network shares connected to the victim machine.[20]
BlackCat has the ability to discover network shares on compromised networks.[21][22]
During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares.[23]
Chimera has used net share and net view to identify network shares of interest.[24]
Clambling has the ability to enumerate network shares.[25]
Clop can enumerate network shares.[26]
Cobalt Strike can query shared drives on the local system.[27]
Conti can enumerate remote open SMB network shares using NetShareEnum().[28][29]
CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.[30]
Cuba can discover shared resources using the NetShareEnum API call.[31]
DarkVishnya scanned the network for public shared folders.[32]
DEATHRANSOM has the ability to use loop operations to enumerate network resources.[33]
Diavol has a ENMDSKS command to enumerates available network shares.[34]
Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.[35]
DUSTTRAP can identify and enumerate victim system network shares.[36]
Embargo has searched for folders, subfolders and other networked or mounted drives for follow-on encryption actions.[37]
Emotet has enumerated non-hidden network shares using WNetEnumResourceW. [38]
Empire can find shared drives on the local system.[39]
FIN13 has executed net view commands for enumeration of open shares on compromised machines.[40][41]
FIVEHANDS can enumerate network shares and mounted drives on a network.[42]
Flagpro has been used to execute net view to discover mapped network shares.[43]
HELLOKITTY has the ability to enumerate network resources.[33]
IcedID has used the net view /all command to show available shares.[44]
INC Ransom has used Internet Explorer to view folders on other systems.[45]
INC Ransomware has the ability to check for shared network drives to encrypt.[46]
InvisiMole can gather network share information.[47]
Koadic can scan local network for open SMB.[48]
KOPILUWAK can use netstat and Net to discover network shares.[49]
Kwampirs collects a list of network shares with the command net share.[50]
Latrodectus can run C:\Windows\System32\cmd.exe /c net view /all to discover network shares.[51][52]
Leviathan Australian Intrusions
Leviathan scanned and enumerated remote network shares in victim environments during Leviathan Australian Intrusions.[53]
LockBit 2.0 can discover remote shares.[54]
LockBit 3.0 can identify network shares on compromised systems.[55]
LunarWeb can identify shared resources in compromised environments.[56]
Medusa Group has identified network shares using cmd.exe /c net share.[57]
Medusa Ransomware has identified networked drives.[58][59][60]
MURKYTOP has the capability to retrieve information about shares on remote hosts.[61]
The net view \remotesystem and net share commands in Net can be used to find shared drives and directories on remote and local systems respectively.[62]
Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.[63]
During Operation CuckooBees, the threat actors used the net share command as part of their advanced reconnaissance.[64]
During Operation Wocao, threat actors discovered network disks mounted to the system using netstat.[65]
OSInfo discovers shares on the network[66]
PlugX has a module to enumerate network shares.[67][68]
Pupy can list local and remote shared drives and folders over SMB.[69]
QakBot can use net share to identify network shares for use in lateral movement.[70][71]
Qilin has the ability to list network drives.[72][73]
QuietSieve can identify and search networked drives for specific file name extensions.[74]
Ramsay can scan for network drives which may contain documents for collection.[75][76]
RansomHub has the ability to target specific network shares for encryption.[77]
Royal can enumerate the shared resources of a given IP addresses using the API call NetShareEnum.[78]
Sardonic has the ability to execute the net view command.[79]
ShimRat can enumerate connected drives for infected host machines.[80]
SILENTTRINITY can enumerate shares on a compromised host.[81]
Sowbug listed remote shared drives that were accessible from a victim.[82]
Stuxnet enumerates the directories of a network resource.[83]
Tonto Team has used tools such as NBTscan to enumerate network shares.[84]
TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.[85][86]
Tropic Trooper used netview to scan target systems for shared resources.[87]
WastedLocker can identify network adjacent and accessible drives.[88]
WhisperGate can enumerate connected remote logical drives.[89]
Wizard Spider has used the "net view" command to locate mapped network shares.[90]
Zebrocy identifies network drives when they are added to victim systems.[91]