T1039 Google Chronicle · YARA-L

Detect Data from Network Shared Drive in Google Chronicle

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1039_data_from_network_shared_drive {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects data collection from network shared drives via bulk file access on UNC paths and execution of share enumeration or bulk copy tools. Covers APT28, RedCurl, Gamaredon, menuPass, Chimera, BRONZE BUTLER TTPs."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1039"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1039/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Signal A: Bulk copy/enumeration tool execution targeting UNC paths
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname
    $e1.principal.user.userid = $user
    (
      // net use / net view
      (
        re.regex($e1.target.process.file.full_path, `(?i)(\\|/)net(1)?\.exe$`) and
        re.regex($e1.target.process.command_line, `(?i)(use|view)`) and
        re.regex($e1.target.process.command_line, `\\\\[a-zA-Z0-9]`)
      ) or
      // robocopy, xcopy, forfiles
      (
        re.regex($e1.target.process.file.full_path, `(?i)(robocopy|xcopy|forfiles)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`)
      ) or
      // PowerShell bulk enumeration
      (
        re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
        re.regex($e1.target.process.command_line, `\\\\\\\\[a-zA-Z0-9]`) and
        re.regex($e1.target.process.command_line, `(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)`)
      )
    )

    // Signal B: File creation/write on a UNC network path with sensitive extension
    $e2.metadata.event_type = "FILE_CREATION"
    $e2.principal.hostname = $hostname
    $e2.principal.user.userid = $user
    re.regex($e2.target.file.full_path, `^\\\\\\\\[^\\\\]+\\\\`)
    re.regex($e2.target.file.full_path, `(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$`)

    // Correlate on same host and user within 2 hours
    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds + 7200
    $e1.metadata.event_timestamp.seconds >= $e2.metadata.event_timestamp.seconds - 7200

  condition:
    $e1 and $e2
}
high severity medium confidence

Chronicle YARA-L 2.0 rule correlating two signals within a 2-hour window on the same host and user: (1) execution of share enumeration or bulk data transfer tools (net use/view, robocopy, xcopy, forfiles, PowerShell with Get-ChildItem/Copy-Item) targeting UNC paths, and (2) file creation events on UNC/SMB network paths with sensitive document or credential file extensions. Maps to MITRE ATT&CK T1039.

Data Sources

Google Chronicle UDM — Windows endpoint telemetry (EDR or Sysmon via forwarder)Chronicle Ingestion: Windows Event Logs (Security, Sysmon Operational)Chronicle Entity Graph for host and user context

Required Tables

PROCESS_LAUNCH UDM eventsFILE_CREATION UDM events

False Positives & Tuning

  • Scheduled backup jobs running under service accounts that use robocopy to mirror file server contents to backup shares — these generate correlated process + file creation signals matching both rule conditions
  • IT administrators legitimately mapping and browsing department file shares with net use followed by manual file copy during offboarding or data recovery tasks
  • PowerShell DSC or automation scripts using Get-ChildItem and Copy-Item against UNC paths for configuration management or software distribution
Download portable Sigma rule (.yml)

Other platforms for T1039

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections