T1039 IBM QRadar · QRadar

Detect Data from Network Shared Drive in IBM QRadar

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Signal 1: Bulk file creation/writes to UNC paths (Sysmon Event 11)
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  'BulkNetworkShareWrite' AS SignalType,
  CASE WHEN COUNT(*) >= 100 THEN 'High' ELSE 'Medium' END AS Severity,
  COUNT(*) AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND QIDNAME(qid) LIKE '%FileCreate%'
  AND "TargetFilename" LIKE '\\\\%'
  AND (
    LOWER("TargetFilename") LIKE '%.doc' OR LOWER("TargetFilename") LIKE '%.docx'
    OR LOWER("TargetFilename") LIKE '%.xls' OR LOWER("TargetFilename") LIKE '%.xlsx'
    OR LOWER("TargetFilename") LIKE '%.pdf' OR LOWER("TargetFilename") LIKE '%.ppt'
    OR LOWER("TargetFilename") LIKE '%.csv' OR LOWER("TargetFilename") LIKE '%.rtf'
    OR LOWER("TargetFilename") LIKE '%.db' OR LOWER("TargetFilename") LIKE '%.sql'
    OR LOWER("TargetFilename") LIKE '%.kdbx' OR LOWER("TargetFilename") LIKE '%.pfx'
    OR LOWER("TargetFilename") LIKE '%.key' OR LOWER("TargetFilename") LIKE '%.pem'
    OR LOWER("TargetFilename") LIKE '%.conf' OR LOWER("TargetFilename") LIKE '%.bak'
    OR LOWER("TargetFilename") LIKE '%.eml' OR LOWER("TargetFilename") LIKE '%.pst'
  )
  AND starttime > NOW() - 2 HOURS
GROUP BY sourceip, username
HAVING COUNT(*) >= 25
UNION ALL
-- Signal 2: net use/view, robocopy, xcopy, forfiles, PowerShell targeting UNC paths (Sysmon Event 1 / Security 4688)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EarliestTime,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS LatestTime,
  sourceip AS DeviceIP,
  username AS AccountName,
  CASE
    WHEN LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe' THEN 'NetworkShareMounting'
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe' THEN 'BulkCopyFromShare'
    WHEN LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'PowerShellShareCollection'
    ELSE 'NetworkShareToolUsage'
  END AS SignalType,
  CASE
    WHEN LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe'
         OR LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe' THEN 'High'
    ELSE 'Medium'
  END AS Severity,
  1 AS FileCount,
  QIDNAME(qid) AS EventName
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (LOGSOURCETYPEID('Microsoft Windows Security Event Log'), LOGSOURCETYPEID('Sysmon'))
  AND (
    (LOWER("Image") LIKE '%net.exe' OR LOWER("Image") LIKE '%net1.exe')
    OR (LOWER("Image") LIKE '%robocopy.exe' OR LOWER("Image") LIKE '%xcopy.exe' OR LOWER("Image") LIKE '%forfiles.exe')
    OR (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe')
  )
  AND "CommandLine" LIKE '\\\\%'
  AND (
    (LOWER("Image") LIKE '%net%' AND ("CommandLine" LIKE '% use %' OR "CommandLine" LIKE '% view %'))
    OR LOWER("Image") LIKE '%robocopy%'
    OR LOWER("Image") LIKE '%xcopy%'
    OR LOWER("Image") LIKE '%forfiles%'
    OR (LOWER("Image") LIKE '%powershell%' AND (
      LOWER("CommandLine") LIKE '%get-childitem%' OR LOWER("CommandLine") LIKE '%copy-item%'
      OR LOWER("CommandLine") LIKE '%get-item%' OR LOWER("CommandLine") LIKE '%-recurse%'
    ))
  )
  AND starttime > NOW() - 2 HOURS
ORDER BY EarliestTime DESC
high severity medium confidence

AQL detection for T1039 covering two correlated signals: bulk file writes to UNC/SMB paths (Sysmon Event 11) with suspicious extensions exceeding a 25-file threshold, and execution of share enumeration or bulk copy tools (net use, robocopy, xcopy, forfiles, PowerShell) targeting UNC paths. Results are UNION'd and severity-classified based on tool risk level.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon operational log via Windows Event Log DSMQRadar Log Source: Sysmon (EventCode 1 Process Create, EventCode 11 File Create)

Required Tables

events

False Positives & Tuning

  • Automated backup agents (Veeam, Commvault, Acronis) generating high-volume file write events to network share targets during backup windows
  • Software distribution systems (SCCM, Intune, Ansible) using net use to mount administrative shares for policy or package deployment
  • Help desk or IT staff using robocopy for approved user data migrations or profile transfers between shared storage locations
Download portable Sigma rule (.yml)

Other platforms for T1039

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections