T1080

Taint Shared Content

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Variants include the directory share pivot (planting malicious .LNK files that masquerade as legitimate directories), binary infection (prepending or appending code to legitimate executables on shares), and Office document macro injection (as seen with Gamaredon Group). Threat actors including Conti, Ursnif, Ramsay, InvisiMole, and RedCurl have all leveraged this technique for lateral movement.

Microsoft Sentinel / Defender

kusto

let SuspiciousExtensions = dynamic([".exe", ".dll", ".scr", ".bat", ".cmd", ".vbs", ".js", ".hta", ".ps1", ".lnk"]);
let KnownSafeSources = dynamic(["MsMpEng.exe", "msiexec.exe", "TrustedInstaller.exe", "wuauclt.exe", "svchost.exe"]);
// Signal 1: Executable or script written to a UNC network path
let ExecOnShare = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath startswith @"\\\\"
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where strcat(".", FileExt) in~ (SuspiciousExtensions)
| where InitiatingProcessFileName !in~ (KnownSafeSources)
| extend Signal = "ExecOnNetworkShare";
// Signal 2: LNK file creation on a mapped or UNC share path (directory share pivot)
let LnkOnShare = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".lnk" or FileName endswith ".LNK"
| where FolderPath startswith @"\\\\" or FolderPath matches regex @"[A-Z]:\\.*\\(share|shares|public|users|common|docs|dept|data)"
| where InitiatingProcessFileName !in~ (KnownSafeSources)
| extend Signal = "LnkOnNetworkShare";
// Signal 3: Office document with macro-enabled extension written to a network share (Gamaredon pattern)
let OfficeOnShare = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".docm" or FileName endswith ".xlsm" or FileName endswith ".pptm"
    or FileName endswith ".doc" or FileName endswith ".xls"
| where FolderPath startswith @"\\\\"
| where InitiatingProcessFileName !in~ (KnownSafeSources)
| extend Signal = "MacroOfficeOnShare";
// Combine signals
union ExecOnShare, LnkOnShare, OfficeOnShare
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, FileExt, Signal,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    InitiatingProcessAccountName, InitiatingProcessId
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Microsoft Defender for Endpoint Network Share: Network Share Access

Required Tables

DeviceFileEvents

False Positives

Software deployment via SCCM or PDQ Deploy copying installation packages (.exe, .msi) to deployment shares
Backup agents or robocopy jobs replicating executables to archive network shares
IT administrators legitimately copying scripts (.ps1, .bat) to shared script repositories or SYSVOL for GPO deployment
Antivirus or EDR updates propagating via network share to air-gapped or slow-update endpoints
DFS replication (DFSR) synchronizing executables and documents across site shares
Development teams pushing compiled binaries to network-accessible build output directories

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval TargetFilename=lower(TargetFilename)
  | eval FileExt=mvindex(split(TargetFilename, "."), -1)
  | eval IsUNCPath=if(like(TargetFilename, "\\\\%"), 1, 0)
  | eval IsExecExt=if(match(FileExt, "^(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk)$"), 1, 0)
  | eval Signal="ExecOrLnkOnShare"
  | where IsUNCPath=1 AND IsExecExt=1
  | eval ProcessName=mvindex(split(Image, "\\"), -1)
  | where NOT match(ProcessName, "(?i)(MsMpEng|msiexec|TrustedInstaller|wuauclt)") 
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval TargetFilename=lower(TargetFilename)
  | eval IsUNCPath=if(like(TargetFilename, "\\\\%"), 1, 0)
  | eval IsOfficeDoc=if(match(TargetFilename, "\.(docm|xlsm|pptm|doc|xls)$"), 1, 0)
  | eval Signal="MacroOfficeOnShare"
  | where IsUNCPath=1 AND IsOfficeDoc=1
  | eval ProcessName=mvindex(split(Image, "\\"), -1)
  | where NOT match(ProcessName, "(?i)(MsMpEng|msiexec|TrustedInstaller)")
],
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=5145
  | eval AccessMask=lower(AccessMask)
  | eval HasWrite=if(match(AccessMask, "(0x2|0x4|0x40|write)"), 1, 0)
  | eval IsExecExt=if(match(lower(RelativeTargetName), "\.(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk|docm|xlsm)$"), 1, 0)
  | eval Signal="ShareWriteAudit"
  | where HasWrite=1 AND IsExecExt=1
  | rename SubjectUserName as User, IpAddress as src_ip, ShareName as SharePath
]
| eval _time=coalesce(_time, strptime(UtcTime, "%Y-%m-%d %H:%M:%S"))
| table _time, host, Signal, User, TargetFilename, RelativeTargetName, SharePath, Image, CommandLine, ProcessName, src_ip
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Network Share: Network Share Access Sysmon Event ID 11 Windows Security Event ID 5145

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

SCCM/Intune distribution points copying packages to deployment shares
Backup agents (Veeam, Backup Exec) with write access to shares containing executables
GPO deployment scripts written to SYSVOL by Domain Admins
Software update tools like WSUS Offline Update, chocolatey mirroring binaries to share
Development CI/CD pipelines pushing build artifacts to shared network directories

Sumo Logic CSE

sql

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| json auto
| where EventID in ("11", "5145")
// Normalize filename
| eval TargetFilename = if(!isNull(TargetFilename), toLowerCase(TargetFilename), toLowerCase(RelativeTargetName))
// UNC path or mapped share detection
| eval IsUNCPath = if(startsWith(TargetFilename, "\\\\"), 1, 0)
| eval IsMappedShare = if(matches(TargetFilename, "[a-z]:\\\\.*\\\\(share|shares|public|users|common|docs|dept|data)\\\\.*"), 1, 0)
| where IsUNCPath = 1 OR IsMappedShare = 1
// Suspicious extension check
| parse regex field=TargetFilename "\.(?<FileExt>[a-z0-9]+)$"
| where FileExt in ("exe","dll","scr","bat","cmd","vbs","js","hta","ps1","lnk","docm","xlsm","pptm","doc","xls")
// Signal classification
| eval Signal = if(FileExt in ("docm","xlsm","pptm","doc","xls"), "MacroOfficeOnShare",
               if(FileExt = "lnk", "LnkOnNetworkShare", "ExecOnNetworkShare"))
// Filter safe sources (Sysmon EventID 11 only)
| where EventID != "11" OR !matches(Image, "(?i)(MsMpEng\\.exe|msiexec\\.exe|TrustedInstaller\\.exe|wuauclt\\.exe|svchost\\.exe)")
// Share write audit filter (Security Event 5145)
| where EventID != "5145" OR matches(AccessMask, "(?i)(0x2|0x4|0x40|write)")
// Process name extraction
| parse regex field=Image "\\\\(?<ProcessName>[^\\\\]+)$" nodrop
| table _messageTime, Computer, Signal, SubjectUserName, TargetFilename, RelativeTargetName, ShareName, Image, ProcessName, CommandLine
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (EventID 11) Windows Security Event Log (EventID 5145)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Software center agents or MDM solutions deploying .exe or .msi packages to share-based distribution points
Scripted IT operations using .ps1 or .bat files written to admin shares (ADMIN$, C$) for one-time maintenance tasks
Document management platforms that auto-save macro-enabled Excel/Word templates to shared departmental network drives

Google Chronicle / SecOps

yaral

rule t1080_taint_shared_content {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1080 Taint Shared Content — executables, scripts, LNK files, or macro-enabled Office documents written to UNC network paths or shared directory structures. Covers directory share pivot, binary planting, and Office macro injection patterns."
    mitre_attack_tactic = "Lateral Movement"
    mitre_attack_technique = "T1080"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "FILE_CREATION" or
    $e.metadata.event_type = "FILE_MODIFICATION"

    // UNC path or mapped share pattern
    (
      re.regex($e.target.file.full_path, `^\\\\`) or
      re.regex($e.target.file.full_path, `(?i)[A-Za-z]:\\.*\\(share|shares|public|users|common|docs|dept|data)\\`)
    )

    // Suspicious file extension
    re.regex($e.target.file.full_path, `(?i)\.(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk|docm|xlsm|pptm|doc|xls)$`)

    // Exclude known-safe initiating processes
    not re.regex($e.principal.process.file.full_path, `(?i)(MsMpEng\.exe|msiexec\.exe|TrustedInstaller\.exe|wuauclt\.exe|svchost\.exe)$`)

    $e.principal.hostname = $hostname

  match:
    $hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.file.full_path, `(?i)\.(exe|dll|scr)$`), 85,
      if(re.regex($e.target.file.full_path, `(?i)\.(docm|xlsm|pptm)$`), 80,
      if(re.regex($e.target.file.full_path, `(?i)\.lnk$`), 75, 65)))
    )
    $signal = if(
      re.regex($e.target.file.full_path, `(?i)\.(docm|xlsm|pptm|doc|xls)$`), "MacroOfficeOnShare",
      if(re.regex($e.target.file.full_path, `(?i)\.lnk$`), "LnkOnNetworkShare", "ExecOnNetworkShare")
    )
    $file_path = array_distinct($e.target.file.full_path)
    $initiating_process = array_distinct($e.principal.process.file.full_path)
    $user = array_distinct($e.principal.user.userid)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Endpoint Telemetry via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

UDM events (FILE_CREATION, FILE_MODIFICATION)

False Positives

Legitimate software packaging workflows where build systems publish release artifacts (DLLs, EXEs) directly to a network share staging area
Authorized red team or penetration testing activity on internal network shares that mirrors this exact TTP
Helpdesk or sysadmin tooling (PSTools, remote admin kits) that drops .bat or .ps1 scripts to administrative shares for remote execution

CrowdStrike LogScale (CQL)

cql

// T1080 - Taint Shared Content: Executables, scripts, LNK, or Office macros written to network shares
#event_simpleName = "AsepValueUpdate" OR #event_simpleName = "NewExecutableWritten" OR #event_simpleName = "PeFileWritten" OR #event_simpleName = "SuspiciousFileWrite"
// Alternatively use the broader write events:
| #event_simpleName = /^(NewExecutableWritten|PeFileWritten|SuspiciousFileWrite|GenericFileWrite)$/

// Filter to UNC paths and known share patterns
| TargetFileName = /^(\\\\|[A-Za-z]:\\.*\\(share|shares|public|users|common|docs|dept|data)\\)/i

// Suspicious extensions
| TargetFileName = /\.(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk|docm|xlsm|pptm|doc|xls)$/i

// Exclude known-safe processes
| ImageFileName != /(?i)(MsMpEng\.exe|msiexec\.exe|TrustedInstaller\.exe|wuauclt\.exe|svchost\.exe)$/

// Signal classification
| eval Signal = if(match(TargetFileName, /\.(docm|xlsm|pptm|doc|xls)$/i), "MacroOfficeOnShare",
               if(match(TargetFileName, /\.lnk$/i), "LnkOnNetworkShare", "ExecOnNetworkShare"))

// Extract process name from full path
| ProcessName := ImageFileName
| ProcessName = /[^\\]+$/
| match(ProcessName, "value")

| groupBy([ComputerName, UserName, Signal, TargetFileName, ImageFileName, CommandLine], function=[
    count(aid, as=EventCount),
    max(ContextTimeStamp, as=LastSeen),
    min(ContextTimeStamp, as=FirstSeen)
  ])
| sort(LastSeen, order=desc)
| select([LastSeen, FirstSeen, ComputerName, UserName, Signal, TargetFileName, ImageFileName, CommandLine, EventCount])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor Falcon Data Replicator (FDR) Falcon LogScale / Humio

Required Tables

falcon:events (NewExecutableWritten, PeFileWritten, SuspiciousFileWrite, GenericFileWrite)

False Positives

Patch management or endpoint management platforms (Tanium, BigFix) that push executable updates to hosts via network share-based distribution
Development teams with CI/CD pipelines that write compiled binaries to shared NAS/SAN locations as part of internal artifact distribution
Power users legitimately creating .lnk shortcut files pointing to network share application launchers as part of desktop shortcut management

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1080 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Taint Shared Content

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Lateral Movement

Popular Detections