Which SIEM platforms have a T1039 detection rule?

df00tech provides T1039 (Data from Network Shared Drive) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1039 detection?

The T1039 detection is rated high severity with medium confidence.

What are common false positives for T1039?

Common false positives for T1039 include: Backup agents (Veeam, Commvault, Windows Server Backup) performing scheduled backups from network shares — typically run as a service account during off-hours windows; DLP or data classification tools (Varonis, Spirion, Microsoft Purview) scanning network shares during inventory runs — generates high FileCount against many share paths; IT administrators using Robocopy or xcopy for legitimate data migration, server decommission, or disaster recovery operations with pre-approved change tickets.

T1039

Data from Network Shared Drive

Q: What data sources are required to detect Data from Network Shared Drive (T1039)?

Detecting Data from Network Shared Drive requires the following data sources: File: File Access, Network Share: Network Share Access, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

Collection Last updated: April 16, 2026

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

What is T1039 Data from Network Shared Drive?

Data from Network Shared Drive (T1039) maps to the Collection tactic — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.

This page provides production-ready detection logic for Data from Network Shared Drive, covering the data sources and telemetry it touches: File: File Access, Network Share: Network Share Access, Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Collection
Technique: T1039 Data from Network Shared Drive
Canonical reference: https://attack.mitre.org/techniques/T1039/

Microsoft Sentinel / Defender

kusto

let SuspiciousExtensions = dynamic(["doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst"]);
let BulkAccessThreshold = 25;
let LookbackWindow = 2h;
// Signal 1: Bulk file reads/copies from UNC network paths in a short window
let BulkShareReads = DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath startswith @"\\\\"
| where FileExtension in~ (SuspiciousExtensions)
| summarize
    FileCount = count(),
    UniqueShares = dcount(tostring(split(FolderPath, "\\")[2])),
    FileTypes = make_set(FileExtension, 20),
    SampleFiles = make_set(FileName, 10),
    Earliest = min(Timestamp),
    Latest = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= BulkAccessThreshold
| extend SignalType = "BulkNetworkShareRead", Severity = iff(FileCount >= 100, "High", "Medium");
// Signal 2: net use / net view commands mapping or enumerating shares
let NetUseCommands = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "use" or ProcessCommandLine has "view"
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "NetworkShareMounting", Severity = "Medium"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 3: Robocopy / xcopy / forfiles targeting UNC paths for bulk data collection
let BulkCopyTools = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe")
| where ProcessCommandLine matches regex @"\\\\"
| extend SignalType = "BulkCopyFromShare", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 4: PowerShell bulk enumeration and copy from network paths
let PowerShellShareCollection = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (@"\\\\", "Get-ChildItem", "Copy-Item", "Get-Item")
       and ProcessCommandLine has_any (@"\\\\", "UNC", "-Path", "-Recurse")
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "PowerShellShareCollection", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Combine all signals
BulkShareReads
| project Timestamp = Earliest, DeviceName, AccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SignalType, Severity, FileCount, UniqueShares,
          FileTypes = tostring(FileTypes), SampleFiles = tostring(SampleFiles)
| union (NetUseCommands | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (BulkCopyTools | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (PowerShellShareCollection | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| sort by Timestamp desc

Multi-signal detection covering four distinct collection patterns for T1039. Signal 1 identifies bulk file reads/copies from UNC paths (\\server\share) in DeviceFileEvents where a single process accesses 25+ documents (configurable) matching sensitive extensions within 2 hours. Signal 2 catches net.exe/net1.exe invocations mapping or viewing network shares. Signal 3 detects Robocopy, xcopy, and forfiles targeting UNC paths — a menuPass TTP. Signal 4 flags PowerShell Get-ChildItem or Copy-Item operations against network paths, commonly used by RedCurl and Gamaredon. The BulkAccessThreshold variable (default: 25) should be tuned to your environment's baseline share access volume.

high severity medium confidence

Data Sources

File: File Access Network Share: Network Share Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Backup agents (Veeam, Commvault, Windows Server Backup) performing scheduled backups from network shares — typically run as a service account during off-hours windows
DLP or data classification tools (Varonis, Spirion, Microsoft Purview) scanning network shares during inventory runs — generates high FileCount against many share paths
IT administrators using Robocopy or xcopy for legitimate data migration, server decommission, or disaster recovery operations with pre-approved change tickets
File synchronization clients (OneDrive, SharePoint sync, Dropbox Business) that mount SMB shares and perform bulk reads for sync operations
Antivirus or EDR agents performing full scan of network-accessible paths — parent process will be a security product executable
Software deployment tools (SCCM, Intune) accessing distribution point shares to cache or distribute software packages

Splunk

spl

| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | where match(TargetFilename, "^\\\\\\\\[^\\\\]+\\\\")
    | where match(lower(TargetFilename), "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|pst)$")
    | eval SignalType="BulkNetworkShareWrite"
    | eval ShareHost=mvindex(split(TargetFilename, "\\"), 2)
    | stats count as FileCount, dc(ShareHost) as UniqueShares, values(TargetFilename) as SampleFiles, earliest(_time) as Earliest, latest(_time) as Latest by host, User, Image, CommandLine, SignalType
    | where FileCount >= 25
    | eval Severity=if(FileCount >= 100, "High", "Medium") ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | where (match(lower(Image), "net(1)?\.exe$") AND match(CommandLine, "(use|view)") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR (match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR ((match(lower(Image), "(powershell|pwsh)\.exe$")) AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]") AND match(lower(CommandLine), "(get-childitem|copy-item|get-item|gci|cp )"))
    | eval SignalType=case(
        match(lower(Image), "net(1)?\.exe$"), "NetworkShareMounting",
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "BulkCopyFromShare",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "PowerShellShareCollection",
        true(), "NetworkShareToolUsage")
    | eval Severity=case(
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "High",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "High",
        true(), "Medium")
    | eval FileCount=0, UniqueShares=0, SampleFiles=""
    | table _time as Earliest, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, Severity, FileCount, UniqueShares, SampleFiles ]
| rename host as DeviceName, User as AccountName, Image as ProcessImage, CommandLine as ProcessCommandLine
| sort - Earliest

Two-branch detection for T1039 using Sysmon telemetry. Branch 1 uses Event ID 11 (File Create) to identify bulk creation of sensitive document types (25+ files) in paths matching UNC format (\\server\share\), aggregated per process within the search window. Branch 2 uses Event ID 1 (Process Create) to catch net.exe share mounting, Robocopy/xcopy bulk copy tools, and PowerShell Get-ChildItem/Copy-Item operations targeting UNC paths. Both branches tag a SignalType for analyst triage and assign severity based on the tool or volume involved. Adjust the FileCount threshold (default: 25) by baselining your environment's normal share write activity.

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents writing to network share destinations during scheduled backup windows — Sysmon EID 11 will fire at high volume from the backup agent process
DLP/classification tools scanning network shares — generates sustained EID 11 bursts from the scanning service executable
Legitimate Robocopy/xcopy jobs for server migration or DR — verify against change management records and expected service account usage
SharePoint or OneDrive sync clients synchronizing large file sets to UNC-mounted paths
Software distribution points (SCCM) caching packages to network share locations
Developers or build pipelines copying build artifacts to file share paths using xcopy or robocopy

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=2h
  [any where event.category == "file" and event.action in ("creation", "change") and
   file.path : "\\\\*" and
   file.extension in~ ("doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst")]
  [any where event.category == "process" and
   (
     (process.name in~ ("net.exe", "net1.exe") and process.command_line : ("* use *", "* view *") and process.command_line : "*\\\\*") or
     (process.name in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe") and process.command_line : "*\\\\*") or
     (process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : "*\\\\*" and
      process.command_line : ("*Get-ChildItem*", "*Copy-Item*", "*Get-Item*", "*-Recurse*"))
   )
  ]

// Standalone bulk file collection rule (pipe separately in SIEM workflow):
// from logs-endpoint.events.file-*
// | where event.category == "file"
// | where file.path like "\\\\*"
// | where file.extension in ("doc","docx","xls","xlsx","pdf","ppt","pptx","txt","csv","rtf","db","sql","kdbx","pfx","key","pem","conf","config","ini","bak","eml","msg","ost","pst")
// | stats count(*) as file_count, count_distinct(file.path) as unique_paths by host.name, user.name, process.name
// | where file_count >= 25

Detects data collection from network shared drives by correlating bulk UNC-path file creation/access events with share enumeration or bulk copy tool execution. Covers net use/view, robocopy, xcopy, forfiles, and PowerShell Get-ChildItem/Copy-Item targeting SMB shares within a 2-hour window — matching MITRE ATT&CK T1039 tactics observed from APT28, RedCurl, and Chimera.

high severity medium confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.file-*) Elastic Endpoint Security (logs-endpoint.events.process-*) Winlogbeat (winlogbeat-*)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legitimate backup software (e.g., Veeam, Backup Exec agents) performing scheduled file copies from network shares to local staging directories
IT administrators using robocopy or xcopy for sanctioned data migrations between file servers or department shares
Software deployment tools (SCCM, PDQ Deploy) using UNC paths to stage installation packages across the environment

IBM QRadar (AQL)

sql

-- Signal 1: Bulk file creation/writes to UNC paths (Sysmon Event 11)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  'BulkNetworkShareWrite' AS SignalType,
  CASE WHEN COUNT(*) >= 100 THEN 'High' ELSE 'Medium' END AS Severity,
  COUNT(*) AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND QIDNAME(qid) LIKE '%FileCreate%'
  AND "TargetFilename" LIKE '\\\\%'
  AND (
    LOWER("TargetFilename") LIKE '%.doc' OR LOWER("TargetFilename") LIKE '%.docx'
    OR LOWER("TargetFilename") LIKE '%.xls' OR LOWER("TargetFilename") LIKE '%.xlsx'
    OR LOWER("TargetFilename") LIKE '%.pdf' OR LOWER("TargetFilename") LIKE '%.ppt'
    OR LOWER("TargetFilename") LIKE '%.csv' OR LOWER("TargetFilename") LIKE '%.rtf'
    OR LOWER("TargetFilename") LIKE '%.db' OR LOWER("TargetFilename") LIKE '%.sql'
    OR LOWER("TargetFilename") LIKE '%.kdbx' OR LOWER("TargetFilename") LIKE '%.pfx'
    OR LOWER("TargetFilename") LIKE '%.key' OR LOWER("TargetFilename") LIKE '%.pem'
    OR LOWER("TargetFilename") LIKE '%.conf' OR LOWER("TargetFilename") LIKE '%.bak'
    OR LOWER("TargetFilename") LIKE '%.eml' OR LOWER("TargetFilename") LIKE '%.pst'
  )
  AND starttime > NOW() - 2 HOURS
GROUP BY sourceip, username
HAVING COUNT(*) >= 25
UNION ALL
-- Signal 2: net use/view, robocopy, xcopy, forfiles, PowerShell targeting UNC paths (Sysmon Event 1 / Security 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  CASE
    WHEN LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe' THEN 'NetworkShareMounting'
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe' THEN 'BulkCopyFromShare'
    WHEN LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'PowerShellShareCollection'
    ELSE 'NetworkShareToolUsage'
  END AS SignalType,
  CASE
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe'
         OR LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'High'
    ELSE 'Medium'
  END AS Severity,
  1 AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND (
    (LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe')
    OR (LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe')
    OR (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe')
  )
  AND "CommandLine" LIKE '\\\\%'
  AND (
    (LOWER("Image") LIKE '%net%' AND ("CommandLine" LIKE '% use %' OR "CommandLine" LIKE '% view %'))
    OR LOWER("Image") LIKE '%robocopy%'
    OR LOWER("Image") LIKE '%xcopy%'
    OR LOWER("Image") LIKE '%forfiles%'
    OR (LOWER("Image") LIKE '%powershell%' AND (
      LOWER("CommandLine") LIKE '%get-childitem%' OR LOWER("CommandLine") LIKE '%copy-item%'
      OR LOWER("CommandLine") LIKE '%get-item%' OR LOWER("CommandLine") LIKE '%-recurse%'
    ))
  )
  AND starttime > NOW() - 2 HOURS
ORDER BY EarliestTime DESC

AQL detection for T1039 covering two correlated signals: bulk file writes to UNC/SMB paths (Sysmon Event 11) with suspicious extensions exceeding a 25-file threshold, and execution of share enumeration or bulk copy tools (net use, robocopy, xcopy, forfiles, PowerShell) targeting UNC paths. Results are UNION'd and severity-classified based on tool risk level.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon operational log via Windows Event Log DSM QRadar Log Source: Sysmon (EventCode 1 Process Create, EventCode 11 File Create)

Required Tables

events

False Positives

Automated backup agents (Veeam, Commvault, Acronis) generating high-volume file write events to network share targets during backup windows
Software distribution systems (SCCM, Intune, Ansible) using net use to mount administrative shares for policy or package deployment
Help desk or IT staff using robocopy for approved user data migrations or profile transfers between shared storage locations

Sumo Logic CSE

sql

// Signal 1: Bulk file creation on UNC/SMB network paths (Sysmon Event 11)
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| where EventID = "11"
| where TargetFilename matches "\\\\\\\\*"
| where TargetFilename matches "(?i)\\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$"
| parse field=TargetFilename "\\\\\\\\*\\*" as ShareHost nodrop
| timeslice 2h
| stats count as FileCount, count_distinct(ShareHost) as UniqueShares, first(TargetFilename) as SampleFile, first(Image) as ProcessImage, first(CommandLine) as ProcessCmdLine by _timeslice, Computer, User
| where FileCount >= 25
| if (FileCount >= 100, "High", "Medium") as Severity
| "BulkNetworkShareWrite" as SignalType
| fields - _timeslice

// Signal 2: Share enumeration and bulk copy tools targeting UNC paths (Sysmon Event 1)
// Run separately and union results at dashboard level:
// (_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
// | where EventID = "1"
// | where (
//   (Image matches "(?i)net(1)?\.exe$" and CommandLine matches "(?i)(use|view)" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
//   OR (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
//   OR (Image matches "(?i)(powershell|pwsh)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]"
//       and CommandLine matches "(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\\-Recurse)")
// )
// | if (Image matches "(?i)(robocopy|xcopy|powershell|pwsh)", "High", "Medium") as Severity
// | if (Image matches "(?i)net(1)?\.exe", "NetworkShareMounting",
//   if (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe", "BulkCopyFromShare", "PowerShellShareCollection")) as SignalType
// | fields _messageTime as EarliestTime, Computer, User, Image, CommandLine, ParentImage, SignalType, Severity

Sumo Logic CSE detection for T1039 identifying bulk file collection from SMB/UNC network shares via Sysmon Event 11 (FileCreate) and process execution signals (Sysmon Event 1) covering net use, net view, robocopy, xcopy, forfiles, and PowerShell cmdlets targeting UNC paths. Bulk threshold of 25 files within a 2-hour timeslice triggers medium severity; 100+ files triggers high.

high severity medium confidence

Data Sources

Windows Sysmon Operational Log (_sourceCategory=windows/sysmon) Sumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

windows/sysmon os/windows/sysmon

False Positives

Enterprise DFS namespace traversal by legitimate indexing services (Windows Search, SharePoint crawler) generating high file access counts against document library shares
Power users running approved robocopy or xcopy scripts for departmental data archival or SharePoint migration projects
Developers or DevOps engineers using PowerShell scripts with Get-ChildItem against build artifact shares during CI/CD pipeline runs

Google Chronicle / SecOps

yaral

rule t1039_data_from_network_shared_drive {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects data collection from network shared drives via bulk file access on UNC paths and execution of share enumeration or bulk copy tools. Covers APT28, RedCurl, Gamaredon, menuPass, Chimera, BRONZE BUTLER TTPs."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1039"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1039/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal A: Bulk copy/enumeration tool execution targeting UNC paths
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname
    $e1.principal.user.userid = $user
    (
      // net use / net view
      (
        re.regex($e1.target.process.file.full_path, `(?i)(\\|/)net(1)?\.exe$`) and
        re.regex($e1.target.process.command_line, `(?i)(use|view)`) and
        re.regex($e1.target.process.command_line, `\\\\[a-zA-Z0-9]`)
      ) or
      // robocopy, xcopy, forfiles
      (
        re.regex($e1.target.process.file.full_path, `(?i)(robocopy|xcopy|forfiles)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`)
      ) or
      // PowerShell bulk enumeration
      (
        re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`) and
        re.regex($e1.target.process.command_line, `(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)`)
      )
    )

    // Signal B: File creation/write on a UNC network path with sensitive extension
    $e2.metadata.event_type = "FILE_CREATION"
    $e2.principal.hostname = $hostname
    $e2.principal.user.userid = $user
    re.regex($e2.target.file.full_path, `^\\\\\\\\[^\\\\]+\\\\`)
    re.regex($e2.target.file.full_path, `(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$`)

    // Correlate on same host and user within 2 hours
    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds + 7200
    $e1.metadata.event_timestamp.seconds >= $e2.metadata.event_timestamp.seconds - 7200

  condition:
    $e1 and $e2
}

Chronicle YARA-L 2.0 rule correlating two signals within a 2-hour window on the same host and user: (1) execution of share enumeration or bulk data transfer tools (net use/view, robocopy, xcopy, forfiles, PowerShell with Get-ChildItem/Copy-Item) targeting UNC paths, and (2) file creation events on UNC/SMB network paths with sensitive document or credential file extensions. Maps to MITRE ATT&CK T1039.

high severity medium confidence

Data Sources

Google Chronicle UDM — Windows endpoint telemetry (EDR or Sysmon via forwarder) Chronicle Ingestion: Windows Event Logs (Security, Sysmon Operational) Chronicle Entity Graph for host and user context

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Scheduled backup jobs running under service accounts that use robocopy to mirror file server contents to backup shares — these generate correlated process + file creation signals matching both rule conditions
IT administrators legitimately mapping and browsing department file shares with net use followed by manual file copy during offboarding or data recovery tasks
PowerShell DSC or automation scripts using Get-ChildItem and Copy-Item against UNC paths for configuration management or software distribution

CrowdStrike LogScale (CQL)

cql

// Signal 1: Bulk copy tools and share enumeration processes targeting UNC paths
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(net|net1|robocopy|xcopy|forfiles|powershell|pwsh)\.exe$/
| CommandLine = /\\\\/
| case {
    FileName = /(?i)net(1)?\.exe$/ AND CommandLine = /(?i)(use|view)/ => SignalType := "NetworkShareMounting"; Severity := "Medium";
    FileName = /(?i)(robocopy|xcopy|forfiles)\.exe$/ => SignalType := "BulkCopyFromShare"; Severity := "High";
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)/ => SignalType := "PowerShellShareCollection"; Severity := "High";
    * => SignalType := "NetworkShareToolUsage"; Severity := "Medium";
  }
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SignalType, Severity], function=[
    count(aid, as=EventCount),
    min(timestamp, as=EarliestTime),
    max(timestamp, as=LatestTime)
  ])
| sort(EarliestTime, order=desc)

// Signal 2: Bulk file writes to network share paths (run separately or union at dashboard)
// #event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "DocumentWritten"
// | TargetDirectoryName = /^\\\\/
// | TargetFileName = /(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$/
// | ShareHost := splitString(TargetDirectoryName, "\\\\")[1]
// | groupBy([ComputerName, UserName, ContextBaseFileName, ShareHost], function=[
//     count(TargetFileName, as=FileCount),
//     min(timestamp, as=EarliestTime),
//     max(timestamp, as=LatestTime),
//     collect(TargetFileName, limit=10, as=SampleFiles)
//   ])
// | FileCount >= 25
// | Severity := if(FileCount >= 100, "High", "Medium")
// | SignalType := "BulkNetworkShareWrite"
// | sort(EarliestTime, order=desc)

CrowdStrike LogScale (Humio CQL) detection for T1039 covering two query patterns: (1) process execution signals using ProcessRollup2 events to identify net use/view, robocopy, xcopy, forfiles, and PowerShell targeting UNC paths with severity classification, and (2) bulk file write detection to UNC/SMB network paths with sensitive extensions exceeding a 25-file threshold. Both are grouped by host and user for analyst triage.

high severity medium confidence

Data Sources

CrowdStrike Falcon Insight XDR — ProcessRollup2 events CrowdStrike Falcon Insight XDR — File write telemetry (PeFileWritten, DocumentWritten) Falcon Data Replicator (FDR) stream

Required Tables

ProcessRollup2 PeFileWritten DocumentWritten

False Positives

Endpoint management agents (e.g., BigFix, MECM) executing net use commands to administrative shares during patch deployment or inventory collection cycles
Data migration projects where xcopy or robocopy is used under service accounts to transfer bulk document sets between file servers during business hours
Security operations tooling (e.g., DFIR triage scripts) using PowerShell with Get-ChildItem and Copy-Item against evidence collection shares during incident response

Sigma rule & cross-platform mapping

The detection logic for Data from Network Shared Drive (T1039) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1039 Sigma rules on detection.fyi

Platform-specific guides for T1039

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Map and Enumerate Network Share with net use
Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.
Test 2Bulk Document Collection via Robocopy from Network Share
Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.
Test 3PowerShell Recursive Document Harvest from Network Share
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.
Test 4Forfiles-based Targeted Extension Harvest from Share
Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data from Network Shared Drive

What is T1039 Data from Network Shared Drive?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1039

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

What is T1039 Data from Network Shared Drive?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1039

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox