T1039

Data from Network Shared Drive

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

Microsoft Sentinel / Defender

kusto

let SuspiciousExtensions = dynamic(["doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst"]);
let BulkAccessThreshold = 25;
let LookbackWindow = 2h;
// Signal 1: Bulk file reads/copies from UNC network paths in a short window
let BulkShareReads = DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath startswith @"\\\\"
| where FileExtension in~ (SuspiciousExtensions)
| summarize
    FileCount = count(),
    UniqueShares = dcount(tostring(split(FolderPath, "\\")[2])),
    FileTypes = make_set(FileExtension, 20),
    SampleFiles = make_set(FileName, 10),
    Earliest = min(Timestamp),
    Latest = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= BulkAccessThreshold
| extend SignalType = "BulkNetworkShareRead", Severity = iff(FileCount >= 100, "High", "Medium");
// Signal 2: net use / net view commands mapping or enumerating shares
let NetUseCommands = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "use" or ProcessCommandLine has "view"
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "NetworkShareMounting", Severity = "Medium"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 3: Robocopy / xcopy / forfiles targeting UNC paths for bulk data collection
let BulkCopyTools = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe")
| where ProcessCommandLine matches regex @"\\\\"
| extend SignalType = "BulkCopyFromShare", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 4: PowerShell bulk enumeration and copy from network paths
let PowerShellShareCollection = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (@"\\\\", "Get-ChildItem", "Copy-Item", "Get-Item")
       and ProcessCommandLine has_any (@"\\\\", "UNC", "-Path", "-Recurse")
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "PowerShellShareCollection", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Combine all signals
BulkShareReads
| project Timestamp = Earliest, DeviceName, AccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SignalType, Severity, FileCount, UniqueShares,
          FileTypes = tostring(FileTypes), SampleFiles = tostring(SampleFiles)
| union (NetUseCommands | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (BulkCopyTools | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (PowerShellShareCollection | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Network Share: Network Share Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Backup agents (Veeam, Commvault, Windows Server Backup) performing scheduled backups from network shares — typically run as a service account during off-hours windows
DLP or data classification tools (Varonis, Spirion, Microsoft Purview) scanning network shares during inventory runs — generates high FileCount against many share paths
IT administrators using Robocopy or xcopy for legitimate data migration, server decommission, or disaster recovery operations with pre-approved change tickets
File synchronization clients (OneDrive, SharePoint sync, Dropbox Business) that mount SMB shares and perform bulk reads for sync operations
Antivirus or EDR agents performing full scan of network-accessible paths — parent process will be a security product executable
Software deployment tools (SCCM, Intune) accessing distribution point shares to cache or distribute software packages

Splunk

spl

| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | where match(TargetFilename, "^\\\\\\\\[^\\\\]+\\\\")
    | where match(lower(TargetFilename), "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|pst)$")
    | eval SignalType="BulkNetworkShareWrite"
    | eval ShareHost=mvindex(split(TargetFilename, "\\"), 2)
    | stats count as FileCount, dc(ShareHost) as UniqueShares, values(TargetFilename) as SampleFiles, earliest(_time) as Earliest, latest(_time) as Latest by host, User, Image, CommandLine, SignalType
    | where FileCount >= 25
    | eval Severity=if(FileCount >= 100, "High", "Medium") ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | where (match(lower(Image), "net(1)?\.exe$") AND match(CommandLine, "(use|view)") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR (match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR ((match(lower(Image), "(powershell|pwsh)\.exe$")) AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]") AND match(lower(CommandLine), "(get-childitem|copy-item|get-item|gci|cp )"))
    | eval SignalType=case(
        match(lower(Image), "net(1)?\.exe$"), "NetworkShareMounting",
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "BulkCopyFromShare",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "PowerShellShareCollection",
        true(), "NetworkShareToolUsage")
    | eval Severity=case(
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "High",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "High",
        true(), "Medium")
    | eval FileCount=0, UniqueShares=0, SampleFiles=""
    | table _time as Earliest, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, Severity, FileCount, UniqueShares, SampleFiles ]
| rename host as DeviceName, User as AccountName, Image as ProcessImage, CommandLine as ProcessCommandLine
| sort - Earliest

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Command: Command Execution Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup agents writing to network share destinations during scheduled backup windows — Sysmon EID 11 will fire at high volume from the backup agent process
DLP/classification tools scanning network shares — generates sustained EID 11 bursts from the scanning service executable
Legitimate Robocopy/xcopy jobs for server migration or DR — verify against change management records and expected service account usage
SharePoint or OneDrive sync clients synchronizing large file sets to UNC-mounted paths
Software distribution points (SCCM) caching packages to network share locations
Developers or build pipelines copying build artifacts to file share paths using xcopy or robocopy

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=2h
  [any where event.category == "file" and event.action in ("creation", "change") and
   file.path : "\\\\*" and
   file.extension in~ ("doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst")]
  [any where event.category == "process" and
   (
     (process.name in~ ("net.exe", "net1.exe") and process.command_line : ("* use *", "* view *") and process.command_line : "*\\\\*") or
     (process.name in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe") and process.command_line : "*\\\\*") or
     (process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : "*\\\\*" and
      process.command_line : ("*Get-ChildItem*", "*Copy-Item*", "*Get-Item*", "*-Recurse*"))
   )
  ]

// Standalone bulk file collection rule (pipe separately in SIEM workflow):
// from logs-endpoint.events.file-*
// | where event.category == "file"
// | where file.path like "\\\\*"
// | where file.extension in ("doc","docx","xls","xlsx","pdf","ppt","pptx","txt","csv","rtf","db","sql","kdbx","pfx","key","pem","conf","config","ini","bak","eml","msg","ost","pst")
// | stats count(*) as file_count, count_distinct(file.path) as unique_paths by host.name, user.name, process.name
// | where file_count >= 25

high severity medium confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.file-*) Elastic Endpoint Security (logs-endpoint.events.process-*) Winlogbeat (winlogbeat-*)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-*

False Positives

Legitimate backup software (e.g., Veeam, Backup Exec agents) performing scheduled file copies from network shares to local staging directories
IT administrators using robocopy or xcopy for sanctioned data migrations between file servers or department shares
Software deployment tools (SCCM, PDQ Deploy) using UNC paths to stage installation packages across the environment

IBM QRadar (AQL)

sql

-- Signal 1: Bulk file creation/writes to UNC paths (Sysmon Event 11)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  'BulkNetworkShareWrite' AS SignalType,
  CASE WHEN COUNT(*) >= 100 THEN 'High' ELSE 'Medium' END AS Severity,
  COUNT(*) AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND QIDNAME(qid) LIKE '%FileCreate%'
  AND "TargetFilename" LIKE '\\\\%'
  AND (
    LOWER("TargetFilename") LIKE '%.doc' OR LOWER("TargetFilename") LIKE '%.docx'
    OR LOWER("TargetFilename") LIKE '%.xls' OR LOWER("TargetFilename") LIKE '%.xlsx'
    OR LOWER("TargetFilename") LIKE '%.pdf' OR LOWER("TargetFilename") LIKE '%.ppt'
    OR LOWER("TargetFilename") LIKE '%.csv' OR LOWER("TargetFilename") LIKE '%.rtf'
    OR LOWER("TargetFilename") LIKE '%.db' OR LOWER("TargetFilename") LIKE '%.sql'
    OR LOWER("TargetFilename") LIKE '%.kdbx' OR LOWER("TargetFilename") LIKE '%.pfx'
    OR LOWER("TargetFilename") LIKE '%.key' OR LOWER("TargetFilename") LIKE '%.pem'
    OR LOWER("TargetFilename") LIKE '%.conf' OR LOWER("TargetFilename") LIKE '%.bak'
    OR LOWER("TargetFilename") LIKE '%.eml' OR LOWER("TargetFilename") LIKE '%.pst'
  )
  AND starttime > NOW() - 2 HOURS
GROUP BY sourceip, username
HAVING COUNT(*) >= 25
UNION ALL
-- Signal 2: net use/view, robocopy, xcopy, forfiles, PowerShell targeting UNC paths (Sysmon Event 1 / Security 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  CASE
    WHEN LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe' THEN 'NetworkShareMounting'
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe' THEN 'BulkCopyFromShare'
    WHEN LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'PowerShellShareCollection'
    ELSE 'NetworkShareToolUsage'
  END AS SignalType,
  CASE
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe'
         OR LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'High'
    ELSE 'Medium'
  END AS Severity,
  1 AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND (
    (LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe')
    OR (LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe')
    OR (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe')
  )
  AND "CommandLine" LIKE '\\\\%'
  AND (
    (LOWER("Image") LIKE '%net%' AND ("CommandLine" LIKE '% use %' OR "CommandLine" LIKE '% view %'))
    OR LOWER("Image") LIKE '%robocopy%'
    OR LOWER("Image") LIKE '%xcopy%'
    OR LOWER("Image") LIKE '%forfiles%'
    OR (LOWER("Image") LIKE '%powershell%' AND (
      LOWER("CommandLine") LIKE '%get-childitem%' OR LOWER("CommandLine") LIKE '%copy-item%'
      OR LOWER("CommandLine") LIKE '%get-item%' OR LOWER("CommandLine") LIKE '%-recurse%'
    ))
  )
  AND starttime > NOW() - 2 HOURS
ORDER BY EarliestTime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon operational log via Windows Event Log DSM QRadar Log Source: Sysmon (EventCode 1 Process Create, EventCode 11 File Create)

Required Tables

events

False Positives

Automated backup agents (Veeam, Commvault, Acronis) generating high-volume file write events to network share targets during backup windows
Software distribution systems (SCCM, Intune, Ansible) using net use to mount administrative shares for policy or package deployment
Help desk or IT staff using robocopy for approved user data migrations or profile transfers between shared storage locations

Sumo Logic CSE

sql

// Signal 1: Bulk file creation on UNC/SMB network paths (Sysmon Event 11)
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| where EventID = "11"
| where TargetFilename matches "\\\\\\\\*"
| where TargetFilename matches "(?i)\\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$"
| parse field=TargetFilename "\\\\\\\\*\\*" as ShareHost nodrop
| timeslice 2h
| stats count as FileCount, count_distinct(ShareHost) as UniqueShares, first(TargetFilename) as SampleFile, first(Image) as ProcessImage, first(CommandLine) as ProcessCmdLine by _timeslice, Computer, User
| where FileCount >= 25
| if (FileCount >= 100, "High", "Medium") as Severity
| "BulkNetworkShareWrite" as SignalType
| fields - _timeslice

// Signal 2: Share enumeration and bulk copy tools targeting UNC paths (Sysmon Event 1)
// Run separately and union results at dashboard level:
// (_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
// | where EventID = "1"
// | where (
//   (Image matches "(?i)net(1)?\.exe$" and CommandLine matches "(?i)(use|view)" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
//   OR (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
//   OR (Image matches "(?i)(powershell|pwsh)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]"
//       and CommandLine matches "(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\\-Recurse)")
// )
// | if (Image matches "(?i)(robocopy|xcopy|powershell|pwsh)", "High", "Medium") as Severity
// | if (Image matches "(?i)net(1)?\.exe", "NetworkShareMounting",
//   if (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe", "BulkCopyFromShare", "PowerShellShareCollection")) as SignalType
// | fields _messageTime as EarliestTime, Computer, User, Image, CommandLine, ParentImage, SignalType, Severity

high severity medium confidence

Data Sources

Windows Sysmon Operational Log (_sourceCategory=windows/sysmon) Sumo Logic Cloud SIEM Enterprise normalized Windows events

Required Tables

windows/sysmon os/windows/sysmon

False Positives

Enterprise DFS namespace traversal by legitimate indexing services (Windows Search, SharePoint crawler) generating high file access counts against document library shares
Power users running approved robocopy or xcopy scripts for departmental data archival or SharePoint migration projects
Developers or DevOps engineers using PowerShell scripts with Get-ChildItem against build artifact shares during CI/CD pipeline runs

Google Chronicle / SecOps

yaral

rule t1039_data_from_network_shared_drive {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects data collection from network shared drives via bulk file access on UNC paths and execution of share enumeration or bulk copy tools. Covers APT28, RedCurl, Gamaredon, menuPass, Chimera, BRONZE BUTLER TTPs."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1039"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1039/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal A: Bulk copy/enumeration tool execution targeting UNC paths
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname
    $e1.principal.user.userid = $user
    (
      // net use / net view
      (
        re.regex($e1.target.process.file.full_path, `(?i)(\\|/)net(1)?\.exe$`) and
        re.regex($e1.target.process.command_line, `(?i)(use|view)`) and
        re.regex($e1.target.process.command_line, `\\\\[a-zA-Z0-9]`)
      ) or
      // robocopy, xcopy, forfiles
      (
        re.regex($e1.target.process.file.full_path, `(?i)(robocopy|xcopy|forfiles)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`)
      ) or
      // PowerShell bulk enumeration
      (
        re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`) and
        re.regex($e1.target.process.command_line, `(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)`)
      )
    )

    // Signal B: File creation/write on a UNC network path with sensitive extension
    $e2.metadata.event_type = "FILE_CREATION"
    $e2.principal.hostname = $hostname
    $e2.principal.user.userid = $user
    re.regex($e2.target.file.full_path, `^\\\\\\\\[^\\\\]+\\\\`)
    re.regex($e2.target.file.full_path, `(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$`)

    // Correlate on same host and user within 2 hours
    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds + 7200
    $e1.metadata.event_timestamp.seconds >= $e2.metadata.event_timestamp.seconds - 7200

  condition:
    $e1 and $e2
}

high severity medium confidence

Data Sources

Google Chronicle UDM — Windows endpoint telemetry (EDR or Sysmon via forwarder) Chronicle Ingestion: Windows Event Logs (Security, Sysmon Operational) Chronicle Entity Graph for host and user context

Required Tables

PROCESS_LAUNCH UDM events FILE_CREATION UDM events

False Positives

Scheduled backup jobs running under service accounts that use robocopy to mirror file server contents to backup shares — these generate correlated process + file creation signals matching both rule conditions
IT administrators legitimately mapping and browsing department file shares with net use followed by manual file copy during offboarding or data recovery tasks
PowerShell DSC or automation scripts using Get-ChildItem and Copy-Item against UNC paths for configuration management or software distribution

CrowdStrike LogScale (CQL)

cql

// Signal 1: Bulk copy tools and share enumeration processes targeting UNC paths
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(net|net1|robocopy|xcopy|forfiles|powershell|pwsh)\.exe$/
| CommandLine = /\\\\/
| case {
    FileName = /(?i)net(1)?\.exe$/ AND CommandLine = /(?i)(use|view)/ => SignalType := "NetworkShareMounting"; Severity := "Medium";
    FileName = /(?i)(robocopy|xcopy|forfiles)\.exe$/ => SignalType := "BulkCopyFromShare"; Severity := "High";
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)/ => SignalType := "PowerShellShareCollection"; Severity := "High";
    * => SignalType := "NetworkShareToolUsage"; Severity := "Medium";
  }
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SignalType, Severity], function=[
    count(aid, as=EventCount),
    min(timestamp, as=EarliestTime),
    max(timestamp, as=LatestTime)
  ])
| sort(EarliestTime, order=desc)

// Signal 2: Bulk file writes to network share paths (run separately or union at dashboard)
// #event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "DocumentWritten"
// | TargetDirectoryName = /^\\\\/
// | TargetFileName = /(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$/
// | ShareHost := splitString(TargetDirectoryName, "\\\\")[1]
// | groupBy([ComputerName, UserName, ContextBaseFileName, ShareHost], function=[
//     count(TargetFileName, as=FileCount),
//     min(timestamp, as=EarliestTime),
//     max(timestamp, as=LatestTime),
//     collect(TargetFileName, limit=10, as=SampleFiles)
//   ])
// | FileCount >= 25
// | Severity := if(FileCount >= 100, "High", "Medium")
// | SignalType := "BulkNetworkShareWrite"
// | sort(EarliestTime, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Insight XDR — ProcessRollup2 events CrowdStrike Falcon Insight XDR — File write telemetry (PeFileWritten, DocumentWritten) Falcon Data Replicator (FDR) stream

Required Tables

ProcessRollup2 PeFileWritten DocumentWritten

False Positives

Endpoint management agents (e.g., BigFix, MECM) executing net use commands to administrative shares during patch deployment or inventory collection cycles
Data migration projects where xcopy or robocopy is used under service accounts to transfer bulk document sets between file servers during business hours
Security operations tooling (e.g., DFIR triage scripts) using PowerShell with Get-ChildItem and Copy-Item against evidence collection shares during incident response

Last updated: 2026-04-16 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Data from Network Shared Drive

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Collection

Popular Detections