Techniques
Sample rules
Windows File Share Discovery With Powerview
- source: splunk
- technicques:
- T1135
Description
The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText=Invoke-ShareFinder*)
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_share_discovery_with_powerview_filter`