T1039 Elastic Security · Elastic

Detect Data from Network Shared Drive in Elastic Security

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, user.name with maxspan=2h
  [any where event.category == "file" and event.action in ("creation", "change") and
   file.path : "\\\\*" and
   file.extension in~ ("doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst")]
  [any where event.category == "process" and
   (
     (process.name in~ ("net.exe", "net1.exe") and process.command_line : ("* use *", "* view *") and process.command_line : "*\\\\*") or
     (process.name in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe") and process.command_line : "*\\\\*") or
     (process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : "*\\\\*" and
      process.command_line : ("*Get-ChildItem*", "*Copy-Item*", "*Get-Item*", "*-Recurse*"))
   )
  ]

// Standalone bulk file collection rule (pipe separately in SIEM workflow):
// from logs-endpoint.events.file-*
// | where event.category == "file"
// | where file.path like "\\\\*"
// | where file.extension in ("doc","docx","xls","xlsx","pdf","ppt","pptx","txt","csv","rtf","db","sql","kdbx","pfx","key","pem","conf","config","ini","bak","eml","msg","ost","pst")
// | stats count(*) as file_count, count_distinct(file.path) as unique_paths by host.name, user.name, process.name
// | where file_count >= 25
high severity medium confidence

Detects data collection from network shared drives by correlating bulk UNC-path file creation/access events with share enumeration or bulk copy tool execution. Covers net use/view, robocopy, xcopy, forfiles, and PowerShell Get-ChildItem/Copy-Item targeting SMB shares within a 2-hour window — matching MITRE ATT&CK T1039 tactics observed from APT28, RedCurl, and Chimera.

Data Sources

Elastic Endpoint Security (logs-endpoint.events.file-*)Elastic Endpoint Security (logs-endpoint.events.process-*)Winlogbeat (winlogbeat-*)

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.process-*

False Positives & Tuning

  • Legitimate backup software (e.g., Veeam, Backup Exec agents) performing scheduled file copies from network shares to local staging directories
  • IT administrators using robocopy or xcopy for sanctioned data migrations between file servers or department shares
  • Software deployment tools (SCCM, PDQ Deploy) using UNC paths to stage installation packages across the environment
Download portable Sigma rule (.yml)

Other platforms for T1039

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections