Which SIEM platforms have a T1135 detection rule?

df00tech provides T1135 (Network Share Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Network Share Discovery (T1135)?

Detecting Network Share Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1135 detection?

The T1135 detection is rated medium severity with high confidence.

What are common false positives for T1135?

Common false positives for T1135 include: IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work; Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor); Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans.

T1135

Network Share Discovery

Discovery Last updated: April 18, 2026

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

What is T1135 Network Share Discovery?

Network Share Discovery (T1135) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Network Share Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated medium severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1135 Network Share Discovery
Canonical reference: https://attack.mitre.org/techniques/T1135/

Microsoft Sentinel / Defender

kusto

// T1135 - Network Share Discovery
// Detects network share enumeration via built-in tools, PowerShell, WMI, and offensive tooling
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // net.exe / net1.exe - most common method used by Latrodectus, Kwampirs, QakBot
    (FileName in~ ("net.exe", "net1.exe") and
     ProcessCommandLine has_any (" view", " share"))
    // PowerShell share enumeration via SMB cmdlets or WMI Win32_Share
    or (FileName in~ ("powershell.exe", "pwsh.exe") and
        ProcessCommandLine has_any ("Get-SmbShare", "Win32_Share", "NetShareEnum", "net share", "net view"))
    // WMI via wmic.exe querying share class
    or (FileName =~ "wmic.exe" and
        ProcessCommandLine has_any ("share", "Win32_Share"))
    // NBTscan - network recon tool used by Tonto Team
    or FileName =~ "nbtscan.exe"
    // CrackMapExec with SMB/shares flags - used by APT39
    or (ProcessCommandLine has_any ("crackmapexec", "cme ") and
        ProcessCommandLine has_any ("smb", "--shares"))
)
| extend IsRemoteView = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " view" and
    (ProcessCommandLine contains @"\\" or ProcessCommandLine has "/all")
)
| extend IsLocalShare = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " share" and
    not ProcessCommandLine has_any ("add", "delete", "/delete")
)
| extend IsNetAllDomain = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " view" and
    ProcessCommandLine has "/all"
)
| extend IsPowerShellWmi = (
    FileName in~ ("powershell.exe", "pwsh.exe") and
    ProcessCommandLine has_any ("Get-SmbShare", "Win32_Share", "NetShareEnum")
)
| extend IsSuspiciousTool = (
    FileName =~ "nbtscan.exe" or
    (ProcessCommandLine has_any ("crackmapexec", "cme ") and
     ProcessCommandLine has_any ("smb", "--shares"))
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellWmi, IsSuspiciousTool
| sort by Timestamp desc

Detects network share discovery using Microsoft Defender for Endpoint DeviceProcessEvents. Covers the most common enumeration methods: net.exe/net1.exe 'view' and 'share' subcommands (including remote UNC and /all domain-wide variants), PowerShell Get-SmbShare and WMI Win32_Share queries, wmic.exe share enumeration, NBTscan, and CrackMapExec with SMB flags. Boolean extension columns classify the detection method to help analysts quickly triage and prioritize follow-on investigation.

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work
Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor)
Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans
SCCM distribution point or DFS replication health checks that enumerate available shares on managed servers
Developers or DevOps engineers using PowerShell Get-SmbShare or WMI to configure, validate, or document share permissions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval img=lower(Image), cmdl=lower(CommandLine)
| where (
    (match(img, "\\\\net(1)?\\.exe$") AND (match(cmdl, "\\bview\\b") OR match(cmdl, "\\bshare\\b")))
    OR (match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"))
    OR (match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"))
    OR match(img, "\\\\nbtscan\\.exe$")
    OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)"))
)
| eval IsRemoteView=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND (match(cmdl, "\\\\\\\\") OR match(cmdl, "/all")), 1, 0)
| eval IsLocalShare=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bshare\\b") AND NOT match(cmdl, "(add|delete)"), 1, 0)
| eval IsNetAllDomain=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND match(cmdl, "/all"), 1, 0)
| eval IsPowerShellEnum=if(match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"), 1, 0)
| eval IsWmicEnum=if(match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"), 1, 0)
| eval IsSuspiciousTool=if(match(img, "\\\\nbtscan\\.exe$") OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)")), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore
| sort - _time

Detects network share discovery using Sysmon Event ID 1 (Process Creation) logs. Evaluates lowercased command lines for net.exe/net1.exe view and share subcommands (including UNC paths and /all domain-wide variants), PowerShell SMB and WMI enumeration, wmic.exe share queries, NBTscan, and CrackMapExec with SMB flags. Assigns a cumulative suspicion score to help analysts prioritize: domain-wide or remote enumeration and offensive tooling score highest.

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work
Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor)
Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans
SCCM distribution point or DFS replication health checks that enumerate available shares on managed servers
Developers or DevOps engineers using PowerShell Get-SmbShare or WMI to configure, validate, or document share permissions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "filename" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND (LOWER("CommandLine") LIKE '%\\\\%' OR LOWER("CommandLine") LIKE '%/all%') THEN 1
    ELSE 0
  END AS is_remote_view,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% share%'
         AND LOWER("CommandLine") NOT LIKE '%add%' AND LOWER("CommandLine") NOT LIKE '%delete%' THEN 1
    ELSE 0
  END AS is_local_share,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND LOWER("CommandLine") LIKE '%/all%' THEN 1
    ELSE 0
  END AS is_net_all_domain,
  CASE
    WHEN REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
         AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum)') THEN 1
    ELSE 0
  END AS is_powershell_enum,
  CASE
    WHEN LOWER("filename") = 'nbtscan.exe'
         OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
             AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)')) THEN 1
    ELSE 0
  END AS is_suspicious_tool
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352)
  AND QIDNAME(qid) LIKE '%Process%'
  AND (
    (LOWER("filename") IN ('net.exe', 'net1.exe')
     AND (LOWER("CommandLine") LIKE '% view%' OR LOWER("CommandLine") LIKE '% share%'))
    OR (REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum|net share|net view)'))
    OR (LOWER("filename") = 'wmic.exe'
        AND REGEXP_MATCH(LOWER("CommandLine"), '(win32_share|\bshare\b)'))
    OR LOWER("filename") = 'nbtscan.exe'
    OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)'))
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500

AQL query targeting Windows process creation events from Sysmon (LOGSOURCETYPEID 352) and WinEventLog (LOGSOURCETYPEID 12) to identify network share discovery via net.exe, net1.exe, PowerShell WMI/SMB cmdlets, wmic.exe Win32_Share queries, nbtscan, and CrackMapExec SMB enumeration. Classifies each match by discovery subtype.

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM

Required Tables

events

False Positives

Network administrators using net view or net share routinely during shift handovers or troubleshooting sessions
Endpoint management platforms such as SCCM or Intune using WMI Win32_Share queries for compliance checks
Security scanners and vulnerability assessment tools querying SMB shares as part of authorized penetration testing

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=1
| parse regex field=Image "(?<proc_name>[^\\]+)$"
| parse regex field=ParentImage "(?<parent_proc_name>[^\\]+)$" nodrop
| eval proc_lower = toLowerCase(proc_name)
| eval cmd_lower = toLowerCase(CommandLine)
| where (
    (proc_lower in ("net.exe", "net1.exe") and (cmd_lower matches "* view*" or cmd_lower matches "* share*"))
    or (proc_lower in ("powershell.exe", "pwsh.exe") and (cmd_lower matches "*get-smbshare*" or cmd_lower matches "*win32_share*" or cmd_lower matches "*netshareenum*" or cmd_lower matches "*net share*" or cmd_lower matches "*net view*"))
    or (proc_lower = "wmic.exe" and (cmd_lower matches "*win32_share*" or cmd_lower matches "* share *"))
    or proc_lower = "nbtscan.exe"
    or ((cmd_lower matches "*crackmapexec*" or cmd_lower matches "* cme *") and (cmd_lower matches "* smb *" or cmd_lower matches "*--shares*"))
  )
| eval IsRemoteView = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* view*" and (cmd_lower matches "*\\\\*" or cmd_lower matches "*/all*"), 1, 0)
| eval IsLocalShare = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* share*" and !(cmd_lower matches "*add*" or cmd_lower matches "*delete*"), 1, 0)
| eval IsNetAllDomain = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* view*" and cmd_lower matches "*/all*", 1, 0)
| eval IsPowerShellEnum = if(proc_lower in ("powershell.exe", "pwsh.exe") and (cmd_lower matches "*get-smbshare*" or cmd_lower matches "*win32_share*" or cmd_lower matches "*netshareenum*"), 1, 0)
| eval IsWmicEnum = if(proc_lower = "wmic.exe" and (cmd_lower matches "*win32_share*" or cmd_lower matches "* share *"), 1, 0)
| eval IsSuspiciousTool = if(proc_lower = "nbtscan.exe" or ((cmd_lower matches "*crackmapexec*" or cmd_lower matches "* cme *") and (cmd_lower matches "* smb *" or cmd_lower matches "*--shares*")), 1, 0)
| eval SuspicionScore = IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore
| sort by _messageTime desc

Sumo Logic query against Sysmon EventID 1 (Process Create) to detect network share discovery via net.exe/net1.exe view and share subcommands, PowerShell Get-SmbShare/Win32_Share/NetShareEnum calls, wmic.exe Win32_Share queries, nbtscan execution, and CrackMapExec SMB share enumeration. A SuspicionScore is calculated to support triage prioritization.

medium severity high confidence

Data Sources

Sysmon operational logs forwarded via Sumo Logic installed collector

Required Tables

_sourceCategory=windows/sysmon

False Positives

Helpdesk and IT operations staff using net view or net share to map drives or troubleshoot file access issues
Backup agents and data protection software querying available SMB shares before initiating backup jobs
Legitimate PowerShell DSC or auditing scripts using Get-SmbShare to produce inventory reports

Google Chronicle / SecOps

yaral

rule t1135_network_share_discovery {
  meta:
    author = "df00tech"
    description = "Detects network share discovery via net.exe/net1.exe, PowerShell WMI/SMB cmdlets, wmic.exe Win32_Share, nbtscan, and CrackMapExec --shares. Covers TTPs used by Conti, QakBot, Latrodectus, and APT39."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1135"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline
    (
      // net.exe / net1.exe view or share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)net1?\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)\bview\b`)
          or re.regex($e.target.process.command_line, `(?i)\bshare\b`)
        )
      )
      or
      // PowerShell SMB/WMI enumeration
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(get-smbshare|win32_share|netshareenum|net share|net view)`)
      )
      or
      // wmic Win32_Share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(win32_share|\bshare\b)`)
      )
      or
      // nbtscan
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)nbtscan\.exe$`)
      or
      // CrackMapExec SMB shares
      (
        re.regex($e.target.process.command_line, `(?i)(crackmapexec|\bcme\b)`)
        and re.regex($e.target.process.command_line, `(?i)(\bsmb\b|--shares)`)
      )
    )

  condition:
    $e
}

YARA-L 2.0 rule for Google Chronicle that matches PROCESS_LAUNCH UDM events where the target process is net.exe, net1.exe (with view or share subcommands), powershell.exe or pwsh.exe (with Get-SmbShare, Win32_Share, or NetShareEnum), wmic.exe querying Win32_Share, nbtscan.exe, or CrackMapExec with SMB share flags. Maps to MITRE ATT&CK T1135.

medium severity high confidence

Data Sources

Chronicle UDM via Google Security Operations ingestion — Windows endpoint logs with Sysmon or EDR forwarding

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Systems administrators using net view or net share in login scripts or scheduled automation to map network drives
File server auditing tools or DLP solutions querying Win32_Share through WMI or PowerShell on a scheduled basis
Red team or authorized penetration testing engagements using CrackMapExec or nbtscan with documented scope

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| eval img_lower=lower(ImageFileName)
| eval cmd_lower=lower(CommandLine)
| where
    (
      // net.exe / net1.exe view or share - QakBot, Latrodectus, Kwampirs
      (match(img_lower, /\\net1?\.exe$/) and (match(cmd_lower, /\bview\b/) or match(cmd_lower, /\bshare\b/)))
      // PowerShell SMB / WMI share enumeration
      or (match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum|net share|net view)/))
      // wmic.exe Win32_Share
      or (match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/))
      // nbtscan - Tonto Team recon tool
      or match(img_lower, /\\nbtscan\.exe$/)
      // CrackMapExec SMB shares - APT39
      or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/))
    )
| eval IsRemoteView=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and (match(cmd_lower, /\\\\/) or match(cmd_lower, /\/all/)), 1, 0)
| eval IsLocalShare=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bshare\b/) and not(match(cmd_lower, /(add|delete)/)), 1, 0)
| eval IsNetAllDomain=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and match(cmd_lower, /\/all/), 1, 0)
| eval IsPowerShellEnum=if(match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum)/), 1, 0)
| eval IsWmicEnum=if(match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/), 1, 0)
| eval IsSuspiciousTool=if(match(img_lower, /\\nbtscan\.exe$/) or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/)), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore], function=count(as=EventCount))
| sort(SuspicionScore, order=desc)

CrowdStrike LogScale (CQL) query targeting ProcessRollup2 events to detect network share discovery via net.exe/net1.exe view and share subcommands, PowerShell Get-SmbShare/Win32_Share/NetShareEnum, wmic.exe Win32_Share queries, nbtscan, and CrackMapExec SMB share enumeration. Results are grouped and scored by detection subtype for analyst triage.

medium severity high confidence

Data Sources

CrowdStrike Falcon sensor telemetry — ProcessRollup2 events from Windows endpoints

Required Tables

ProcessRollup2

False Positives

IT helpdesk personnel running net view to diagnose file share access problems for end users
Automated inventory scripts using PowerShell Get-SmbShare or wmic Win32_Share queries on file servers
Authorized red team assessments or penetration testers with documented scope using CrackMapExec or nbtscan against in-scope hosts

Sigma rule & cross-platform mapping

The detection logic for Network Share Discovery (T1135) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1135 Sigma rules on detection.fyi

Platform-specific guides for T1135

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-18 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Local Shares with net share
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.
Test 2Enumerate All Domain Network Shares with net view /all
Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.
Test 3Query Specific Remote Host Shares via UNC Path
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.
Test 4PowerShell WMI Network Share Enumeration via Win32_Share
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.
Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Network Share Discovery

What is T1135 Network Share Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1135

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1135 Network Share Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1135

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox