Detect Data from Network Shared Drive in Sumo Logic CSE
Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1039 Data from Network Shared Drive
- Canonical reference
- https://attack.mitre.org/techniques/T1039/
Sumo Detection Query
// Signal 1: Bulk file creation on UNC/SMB network paths (Sysmon Event 11)
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| where EventID = "11"
| where TargetFilename matches "\\\\\\\\*"
| where TargetFilename matches "(?i)\\.(doc|docx|xls|xlsx|pdf|ppt|pptx|txt|csv|rtf|db|sql|kdbx|pfx|key|pem|conf|config|ini|bak|eml|msg|ost|pst)$"
| parse field=TargetFilename "\\\\\\\\*\\*" as ShareHost nodrop
| timeslice 2h
| stats count as FileCount, count_distinct(ShareHost) as UniqueShares, first(TargetFilename) as SampleFile, first(Image) as ProcessImage, first(CommandLine) as ProcessCmdLine by _timeslice, Computer, User
| where FileCount >= 25
| if (FileCount >= 100, "High", "Medium") as Severity
| "BulkNetworkShareWrite" as SignalType
| fields - _timeslice
// Signal 2: Share enumeration and bulk copy tools targeting UNC paths (Sysmon Event 1)
// Run separately and union results at dashboard level:
// (_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
// | where EventID = "1"
// | where (
// (Image matches "(?i)net(1)?\.exe$" and CommandLine matches "(?i)(use|view)" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
// OR (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]")
// OR (Image matches "(?i)(powershell|pwsh)\.exe$" and CommandLine matches "\\\\\\\\[a-zA-Z0-9]"
// and CommandLine matches "(?i)(Get-ChildItem|Copy-Item|Get-Item|gci|\\-Recurse)")
// )
// | if (Image matches "(?i)(robocopy|xcopy|powershell|pwsh)", "High", "Medium") as Severity
// | if (Image matches "(?i)net(1)?\.exe", "NetworkShareMounting",
// if (Image matches "(?i)(robocopy|xcopy|forfiles)\.exe", "BulkCopyFromShare", "PowerShellShareCollection")) as SignalType
// | fields _messageTime as EarliestTime, Computer, User, Image, CommandLine, ParentImage, SignalType, SeveritySumo Logic CSE detection for T1039 identifying bulk file collection from SMB/UNC network shares via Sysmon Event 11 (FileCreate) and process execution signals (Sysmon Event 1) covering net use, net view, robocopy, xcopy, forfiles, and PowerShell cmdlets targeting UNC paths. Bulk threshold of 25 files within a 2-hour timeslice triggers medium severity; 100+ files triggers high.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise DFS namespace traversal by legitimate indexing services (Windows Search, SharePoint crawler) generating high file access counts against document library shares
- Power users running approved robocopy or xcopy scripts for departmental data archival or SharePoint migration projects
- Developers or DevOps engineers using PowerShell scripts with Get-ChildItem against build artifact shares during CI/CD pipeline runs
Other platforms for T1039
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Map and Enumerate Network Share with net use
Expected signal: Sysmon Event ID 1: net.exe process with CommandLine 'net use Z: \\\\localhost\\C$ /persistent:no'. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. Security Event 4648 if alternate credentials used. Security Event 5140 (network share accessed) on the target if Object Access auditing is enabled.
- Test 2Bulk Document Collection via Robocopy from Network Share
Expected signal: Sysmon Event ID 1: robocopy.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-stage with .dll extension. Sysmon Event ID 3: SMB connection to 127.0.0.1:445 from robocopy.exe process.
- Test 3PowerShell Recursive Document Harvest from Network Share
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ChildItem', '\\\\localhost', 'Copy-Item'. Sysmon Event ID 11: Multiple file creation events in %TEMP%\df00tech-ps-stage. Sysmon Event ID 3: SMB connection to 127.0.0.1:445. PowerShell ScriptBlock Logging Event ID 4104 will capture the full deobfuscated script showing UNC access pattern.
- Test 4Forfiles-based Targeted Extension Harvest from Share
Expected signal: Sysmon Event ID 1: forfiles.exe with CommandLine containing '\\\\localhost' and '/S'. Sysmon Event ID 1 (child): cmd.exe spawned by forfiles.exe with copy command. Sysmon Event ID 11: File creation events in %TEMP%\df00tech-forfiles-stage.
References (12)
- https://attack.mitre.org/techniques/T1039/
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.group-ib.com/resources/research/red-curl/
- https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-uncovers-gamaredon-groups-malicious-activities-in-ukraine/
- https://www.symantec.com/blogs/threat-intelligence/sowbug-targets-government-agencies
- https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf
- https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOF.PDF
- https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy
Unlock Pro Content
Get the full detection package for T1039 including response playbook, investigation guide, and atomic red team tests.