T1039 Microsoft Sentinel · KQL

Detect Data from Network Shared Drive in Microsoft Sentinel

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousExtensions = dynamic(["doc", "docx", "xls", "xlsx", "pdf", "ppt", "pptx", "txt", "csv", "rtf", "db", "sql", "kdbx", "pfx", "key", "pem", "conf", "config", "ini", "bak", "eml", "msg", "ost", "pst"]);
let BulkAccessThreshold = 25;
let LookbackWindow = 2h;
// Signal 1: Bulk file reads/copies from UNC network paths in a short window
let BulkShareReads = DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType in ("FileRead", "FileCopied", "FileCreated")
| where FolderPath startswith @"\\\\"
| where FileExtension in~ (SuspiciousExtensions)
| summarize
    FileCount = count(),
    UniqueShares = dcount(tostring(split(FolderPath, "\\")[2])),
    FileTypes = make_set(FileExtension, 20),
    SampleFiles = make_set(FileName, 10),
    Earliest = min(Timestamp),
    Latest = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where FileCount >= BulkAccessThreshold
| extend SignalType = "BulkNetworkShareRead", Severity = iff(FileCount >= 100, "High", "Medium");
// Signal 2: net use / net view commands mapping or enumerating shares
let NetUseCommands = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("net.exe", "net1.exe")
| where ProcessCommandLine has "use" or ProcessCommandLine has "view"
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "NetworkShareMounting", Severity = "Medium"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 3: Robocopy / xcopy / forfiles targeting UNC paths for bulk data collection
let BulkCopyTools = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("robocopy.exe", "xcopy.exe", "forfiles.exe")
| where ProcessCommandLine matches regex @"\\\\"
| extend SignalType = "BulkCopyFromShare", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Signal 4: PowerShell bulk enumeration and copy from network paths
let PowerShellShareCollection = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (@"\\\\", "Get-ChildItem", "Copy-Item", "Get-Item")
       and ProcessCommandLine has_any (@"\\\\", "UNC", "-Path", "-Recurse")
| where ProcessCommandLine matches regex @"\\\\.+"
| extend SignalType = "PowerShellShareCollection", Severity = "High"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SignalType, Severity;
// Combine all signals
BulkShareReads
| project Timestamp = Earliest, DeviceName, AccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SignalType, Severity, FileCount, UniqueShares,
          FileTypes = tostring(FileTypes), SampleFiles = tostring(SampleFiles)
| union (NetUseCommands | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (BulkCopyTools | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| union (PowerShellShareCollection | extend FileCount = 0, UniqueShares = 0, FileTypes = "", SampleFiles = "")
| sort by Timestamp desc
high severity medium confidence

Multi-signal detection covering four distinct collection patterns for T1039. Signal 1 identifies bulk file reads/copies from UNC paths (\\server\share) in DeviceFileEvents where a single process accesses 25+ documents (configurable) matching sensitive extensions within 2 hours. Signal 2 catches net.exe/net1.exe invocations mapping or viewing network shares. Signal 3 detects Robocopy, xcopy, and forfiles targeting UNC paths — a menuPass TTP. Signal 4 flags PowerShell Get-ChildItem or Copy-Item operations against network paths, commonly used by RedCurl and Gamaredon. The BulkAccessThreshold variable (default: 25) should be tuned to your environment's baseline share access volume.

Data Sources

File: File AccessNetwork Share: Network Share AccessProcess: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Backup agents (Veeam, Commvault, Windows Server Backup) performing scheduled backups from network shares — typically run as a service account during off-hours windows
  • DLP or data classification tools (Varonis, Spirion, Microsoft Purview) scanning network shares during inventory runs — generates high FileCount against many share paths
  • IT administrators using Robocopy or xcopy for legitimate data migration, server decommission, or disaster recovery operations with pre-approved change tickets
  • File synchronization clients (OneDrive, SharePoint sync, Dropbox Business) that mount SMB shares and perform bulk reads for sync operations
  • Antivirus or EDR agents performing full scan of network-accessible paths — parent process will be a security product executable
  • Software deployment tools (SCCM, Intune) accessing distribution point shares to cache or distribute software packages
Download portable Sigma rule (.yml)

Other platforms for T1039

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections