T1039 CrowdStrike LogScale · LogScale

Detect Data from Network Shared Drive in CrowdStrike LogScale

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Signal 1: Bulk copy tools and share enumeration processes targeting UNC paths
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)^(net|net1|robocopy|xcopy|forfiles|powershell|pwsh)\.exe$/
| CommandLine = /\\\\/
| case {
    FileName = /(?i)net(1)?\.exe$/ AND CommandLine = /(?i)(use|view)/ => SignalType := "NetworkShareMounting"; Severity := "Medium";
    FileName = /(?i)(robocopy|xcopy|forfiles)\.exe$/ => SignalType := "BulkCopyFromShare"; Severity := "High";
    FileName = /(?i)(powershell|pwsh)\.exe$/ AND CommandLine = /(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\-Recurse)/ => SignalType := "PowerShellShareCollection"; Severity := "High";
    * => SignalType := "NetworkShareToolUsage"; Severity := "Medium";
  }
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, SignalType, Severity], function=[
    count(aid, as=EventCount),
    min(timestamp, as=EarliestTime),
    max(timestamp, as=LatestTime)
  ])
| sort(EarliestTime, order=desc)

// Signal 2: Bulk file writes to network share paths (run separately or union at dashboard)
// #event_simpleName = "PeFileWritten" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "DocumentWritten"
// | TargetDirectoryName = /^\\\\/
// | TargetFileName = /(?i)\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$/
// | ShareHost := splitString(TargetDirectoryName, "\\\\")[1]
// | groupBy([ComputerName, UserName, ContextBaseFileName, ShareHost], function=[
//     count(TargetFileName, as=FileCount),
//     min(timestamp, as=EarliestTime),
//     max(timestamp, as=LatestTime),
//     collect(TargetFileName, limit=10, as=SampleFiles)
//   ])
// | FileCount >= 25
// | Severity := if(FileCount >= 100, "High", "Medium")
// | SignalType := "BulkNetworkShareWrite"
// | sort(EarliestTime, order=desc)
high severity medium confidence

CrowdStrike LogScale (Humio CQL) detection for T1039 covering two query patterns: (1) process execution signals using ProcessRollup2 events to identify net use/view, robocopy, xcopy, forfiles, and PowerShell targeting UNC paths with severity classification, and (2) bulk file write detection to UNC/SMB network paths with sensitive extensions exceeding a 25-file threshold. Both are grouped by host and user for analyst triage.

Data Sources

CrowdStrike Falcon Insight XDR — ProcessRollup2 eventsCrowdStrike Falcon Insight XDR — File write telemetry (PeFileWritten, DocumentWritten)Falcon Data Replicator (FDR) stream

Required Tables

ProcessRollup2PeFileWrittenDocumentWritten

False Positives & Tuning

  • Endpoint management agents (e.g., BigFix, MECM) executing net use commands to administrative shares during patch deployment or inventory collection cycles
  • Data migration projects where xcopy or robocopy is used under service accounts to transfer bulk document sets between file servers during business hours
  • Security operations tooling (e.g., DFIR triage scripts) using PowerShell with Get-ChildItem and Copy-Item against evidence collection shares during incident response
Download portable Sigma rule (.yml)

Other platforms for T1039

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections