T1039 Splunk · SPL

Detect Data from Network Shared Drive in Splunk

Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.

MITRE ATT&CK

Tactic
Collection
Technique
T1039 Data from Network Shared Drive
Canonical reference
https://attack.mitre.org/techniques/T1039/

SPL Detection Query

Splunk (SPL)
spl 
| union
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | where match(TargetFilename, "^\\\\\\\\[^\\\\]+\\\\")
    | where match(lower(TargetFilename), "\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|pst)$")
    | eval SignalType="BulkNetworkShareWrite"
    | eval ShareHost=mvindex(split(TargetFilename, "\\"), 2)
    | stats count as FileCount, dc(ShareHost) as UniqueShares, values(TargetFilename) as SampleFiles, earliest(_time) as Earliest, latest(_time) as Latest by host, User, Image, CommandLine, SignalType
    | where FileCount >= 25
    | eval Severity=if(FileCount >= 100, "High", "Medium") ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | where (match(lower(Image), "net(1)?\.exe$") AND match(CommandLine, "(use|view)") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR (match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$") AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]"))
       OR ((match(lower(Image), "(powershell|pwsh)\.exe$")) AND match(CommandLine, "\\\\\\\\[a-zA-Z0-9]") AND match(lower(CommandLine), "(get-childitem|copy-item|get-item|gci|cp )"))
    | eval SignalType=case(
        match(lower(Image), "net(1)?\.exe$"), "NetworkShareMounting",
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "BulkCopyFromShare",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "PowerShellShareCollection",
        true(), "NetworkShareToolUsage")
    | eval Severity=case(
        match(lower(Image), "(robocopy|xcopy|forfiles)\.exe$"), "High",
        match(lower(Image), "(powershell|pwsh)\.exe$"), "High",
        true(), "Medium")
    | eval FileCount=0, UniqueShares=0, SampleFiles=""
    | table _time as Earliest, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, Severity, FileCount, UniqueShares, SampleFiles ]
| rename host as DeviceName, User as AccountName, Image as ProcessImage, CommandLine as ProcessCommandLine
| sort - Earliest
high severity medium confidence

Two-branch detection for T1039 using Sysmon telemetry. Branch 1 uses Event ID 11 (File Create) to identify bulk creation of sensitive document types (25+ files) in paths matching UNC format (\\server\share\), aggregated per process within the search window. Branch 2 uses Event ID 1 (Process Create) to catch net.exe share mounting, Robocopy/xcopy bulk copy tools, and PowerShell Get-ChildItem/Copy-Item operations targeting UNC paths. Both branches tag a SignalType for analyst triage and assign severity based on the tool or volume involved. Adjust the FileCount threshold (default: 25) by baselining your environment's normal share write activity.

Data Sources

File: File CreationProcess: Process CreationCommand: Command ExecutionSysmon Event ID 1Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup agents writing to network share destinations during scheduled backup windows — Sysmon EID 11 will fire at high volume from the backup agent process
  • DLP/classification tools scanning network shares — generates sustained EID 11 bursts from the scanning service executable
  • Legitimate Robocopy/xcopy jobs for server migration or DR — verify against change management records and expected service account usage
  • SharePoint or OneDrive sync clients synchronizing large file sets to UNC-mounted paths
  • Software distribution points (SCCM) caching packages to network share locations
  • Developers or build pipelines copying build artifacts to file share paths using xcopy or robocopy
Download portable Sigma rule (.yml)

Other platforms for T1039

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map and Enumerate Network Share with net use

    Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.

  2. Test 2Bulk Document Collection via Robocopy from Network Share

    Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.

  3. Test 3PowerShell Recursive Document Harvest from Network Share

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.

  4. Test 4Forfiles-based Targeted Extension Harvest from Share

    Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.

Last updated: 2026-04-16 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory DiscoveryT1135Network Share DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 ChannelT1048Exfiltration Over Alternative ProtocolT1550.002Pass the HashT1025Data from Removable MediaT1005Data from Local System

Same Tactic: Collection

Popular Detections