Potential Network Share Discovery

edit

Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*
  • logs-system.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Discovery
  • Tactic: Collection
  • Rule Type: BBR

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by user.name, source.port, source.ip with maxspan=15s
 [file where event.action == "network-share-object-access-checked" and
  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and
  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
 [file where event.action == "network-share-object-access-checked" and
  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and
  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]

Framework: MITRE ATT&CKTM