T1080 Splunk · SPL

Detect Taint Shared Content in Splunk

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Variants include the directory share pivot (planting malicious .LNK files that masquerade as legitimate directories), binary infection (prepending or appending code to legitimate executables on shares), and Office document macro injection (as seen with Gamaredon Group). Threat actors including Conti, Ursnif, Ramsay, InvisiMole, and RedCurl have all leveraged this technique for lateral movement.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1080 Taint Shared Content
Canonical reference
https://attack.mitre.org/techniques/T1080/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval TargetFilename=lower(TargetFilename)
  | eval FileExt=mvindex(split(TargetFilename, "."), -1)
  | eval IsUNCPath=if(like(TargetFilename, "\\\\%"), 1, 0)
  | eval IsExecExt=if(match(FileExt, "^(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk)$"), 1, 0)
  | eval Signal="ExecOrLnkOnShare"
  | where IsUNCPath=1 AND IsExecExt=1
  | eval ProcessName=mvindex(split(Image, "\\"), -1)
  | where NOT match(ProcessName, "(?i)(MsMpEng|msiexec|TrustedInstaller|wuauclt)") 
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval TargetFilename=lower(TargetFilename)
  | eval IsUNCPath=if(like(TargetFilename, "\\\\%"), 1, 0)
  | eval IsOfficeDoc=if(match(TargetFilename, "\.(docm|xlsm|pptm|doc|xls)$"), 1, 0)
  | eval Signal="MacroOfficeOnShare"
  | where IsUNCPath=1 AND IsOfficeDoc=1
  | eval ProcessName=mvindex(split(Image, "\\"), -1)
  | where NOT match(ProcessName, "(?i)(MsMpEng|msiexec|TrustedInstaller)")
],
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=5145
  | eval AccessMask=lower(AccessMask)
  | eval HasWrite=if(match(AccessMask, "(0x2|0x4|0x40|write)"), 1, 0)
  | eval IsExecExt=if(match(lower(RelativeTargetName), "\.(exe|dll|scr|bat|cmd|vbs|js|hta|ps1|lnk|docm|xlsm)$"), 1, 0)
  | eval Signal="ShareWriteAudit"
  | where HasWrite=1 AND IsExecExt=1
  | rename SubjectUserName as User, IpAddress as src_ip, ShareName as SharePath
]
| eval _time=coalesce(_time, strptime(UtcTime, "%Y-%m-%d %H:%M:%S"))
| table _time, host, Signal, User, TargetFilename, RelativeTargetName, SharePath, Image, CommandLine, ProcessName, src_ip
| sort - _time
high severity medium confidence

Three-signal SPL detection for T1080. Signal 1 uses Sysmon Event ID 11 (FileCreate) to identify executables, scripts, and .LNK files written to UNC network paths (\\server\share). Signal 2 uses Sysmon Event ID 11 for macro-enabled Office documents written to UNC paths, covering Gamaredon-style macro injection. Signal 3 uses Windows Security Event ID 5145 (network share object access audit) to catch write access to executable or script files on shares — requires 'Audit Detailed File Share' to be enabled via GPO. All signals exclude known legitimate system processes.

Data Sources

File: File CreationNetwork Share: Network Share AccessSysmon Event ID 11Windows Security Event ID 5145

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • SCCM/Intune distribution points copying packages to deployment shares
  • Backup agents (Veeam, Backup Exec) with write access to shares containing executables
  • GPO deployment scripts written to SYSVOL by Domain Admins
  • Software update tools like WSUS Offline Update, chocolatey mirroring binaries to share
  • Development CI/CD pipelines pushing build artifacts to shared network directories
Download portable Sigma rule (.yml)

Other platforms for T1080

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Copy Malicious Executable to Network Share (Conti/Ursnif Pattern)

    Expected signal: Sysmon Event ID 11: TargetFilename=\\localhost\C$\Users\Public\svchost_update.exe, Image=cmd.exe or robocopy.exe/xcopy.exe. Sysmon Event ID 3: Network connection to localhost:445 from cmd.exe. Security Event ID 5145 on the target host: RelativeTargetName=Users\Public\svchost_update.exe, AccessMask including write/create. Security Event ID 5140: share \\*\C$ accessed.

  2. Test 2Plant Malicious LNK File on Network Share (Directory Share Pivot)

    Expected signal: Sysmon Event ID 11: TargetFilename=\\localhost\C$\Users\Public\Shared Documents.lnk, Image=powershell.exe. DeviceFileEvents: FileName=Shared Documents.lnk, FolderPath=\\localhost\C$\Users\Public\, ActionType=FileCreated. If a user clicks the .LNK: Sysmon Event ID 1 with Image=cmd.exe, CommandLine containing the embedded payload, ParentImage=explorer.exe.

  3. Test 3Inject Macro into Office Document on Network Share (Gamaredon Pattern)

    Expected signal: Sysmon Event ID 11: TargetFilename=\\localhost\C$\Users\Public\Q1_Budget_Review.docm, Image=powershell.exe. DeviceFileEvents: FileName=Q1_Budget_Review.docm, FolderPath starts with \\, ActionType=FileCreated. Security Event 5145 with RelativeTargetName=Users\Public\Q1_Budget_Review.docm and write access.

  4. Test 4Bulk Executable Spreading Across Multiple Shares (Worm Propagation Simulation)

    Expected signal: Two Sysmon Event ID 11 entries: both with Image=cmd.exe and TargetFilename pointing to separate UNC share paths. Two Security Event 5145 entries on localhost for write to .exe on each share. DeviceFileEvents: two FileCreated events with distinct FolderPath values (different share names) from the same InitiatingProcessFileName within seconds.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1080 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1547.009Shortcut ModificationT1036MasqueradingT1564.001Hidden Files and DirectoriesT1091Replication Through Removable MediaT1105Ingress Tool TransferT1204.002Malicious FileT1566.001Spearphishing AttachmentT1570Lateral Tool TransferT1083File and Directory Discovery

Same Tactic: Lateral Movement

Popular Detections