T1135

Network Share Discovery

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

Microsoft Sentinel / Defender

kusto

// T1135 - Network Share Discovery
// Detects network share enumeration via built-in tools, PowerShell, WMI, and offensive tooling
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // net.exe / net1.exe - most common method used by Latrodectus, Kwampirs, QakBot
    (FileName in~ ("net.exe", "net1.exe") and
     ProcessCommandLine has_any (" view", " share"))
    // PowerShell share enumeration via SMB cmdlets or WMI Win32_Share
    or (FileName in~ ("powershell.exe", "pwsh.exe") and
        ProcessCommandLine has_any ("Get-SmbShare", "Win32_Share", "NetShareEnum", "net share", "net view"))
    // WMI via wmic.exe querying share class
    or (FileName =~ "wmic.exe" and
        ProcessCommandLine has_any ("share", "Win32_Share"))
    // NBTscan - network recon tool used by Tonto Team
    or FileName =~ "nbtscan.exe"
    // CrackMapExec with SMB/shares flags - used by APT39
    or (ProcessCommandLine has_any ("crackmapexec", "cme ") and
        ProcessCommandLine has_any ("smb", "--shares"))
)
| extend IsRemoteView = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " view" and
    (ProcessCommandLine contains @"\\" or ProcessCommandLine has "/all")
)
| extend IsLocalShare = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " share" and
    not ProcessCommandLine has_any ("add", "delete", "/delete")
)
| extend IsNetAllDomain = (
    FileName in~ ("net.exe", "net1.exe") and
    ProcessCommandLine has " view" and
    ProcessCommandLine has "/all"
)
| extend IsPowerShellWmi = (
    FileName in~ ("powershell.exe", "pwsh.exe") and
    ProcessCommandLine has_any ("Get-SmbShare", "Win32_Share", "NetShareEnum")
)
| extend IsSuspiciousTool = (
    FileName =~ "nbtscan.exe" or
    (ProcessCommandLine has_any ("crackmapexec", "cme ") and
     ProcessCommandLine has_any ("smb", "--shares"))
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellWmi, IsSuspiciousTool
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work
Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor)
Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans
SCCM distribution point or DFS replication health checks that enumerate available shares on managed servers
Developers or DevOps engineers using PowerShell Get-SmbShare or WMI to configure, validate, or document share permissions

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval img=lower(Image), cmdl=lower(CommandLine)
| where (
    (match(img, "\\\\net(1)?\\.exe$") AND (match(cmdl, "\\bview\\b") OR match(cmdl, "\\bshare\\b")))
    OR (match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"))
    OR (match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"))
    OR match(img, "\\\\nbtscan\\.exe$")
    OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)"))
)
| eval IsRemoteView=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND (match(cmdl, "\\\\\\\\") OR match(cmdl, "/all")), 1, 0)
| eval IsLocalShare=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bshare\\b") AND NOT match(cmdl, "(add|delete)"), 1, 0)
| eval IsNetAllDomain=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND match(cmdl, "/all"), 1, 0)
| eval IsPowerShellEnum=if(match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"), 1, 0)
| eval IsWmicEnum=if(match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"), 1, 0)
| eval IsSuspiciousTool=if(match(img, "\\\\nbtscan\\.exe$") OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)")), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work
Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor)
Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans
SCCM distribution point or DFS replication health checks that enumerate available shares on managed servers
Developers or DevOps engineers using PowerShell Get-SmbShare or WMI to configure, validate, or document share permissions

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "filename" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND (LOWER("CommandLine") LIKE '%\\\\%' OR LOWER("CommandLine") LIKE '%/all%') THEN 1
    ELSE 0
  END AS is_remote_view,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% share%'
         AND LOWER("CommandLine") NOT LIKE '%add%' AND LOWER("CommandLine") NOT LIKE '%delete%' THEN 1
    ELSE 0
  END AS is_local_share,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND LOWER("CommandLine") LIKE '%/all%' THEN 1
    ELSE 0
  END AS is_net_all_domain,
  CASE
    WHEN REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
         AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum)') THEN 1
    ELSE 0
  END AS is_powershell_enum,
  CASE
    WHEN LOWER("filename") = 'nbtscan.exe'
         OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
             AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)')) THEN 1
    ELSE 0
  END AS is_suspicious_tool
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352)
  AND QIDNAME(qid) LIKE '%Process%'
  AND (
    (LOWER("filename") IN ('net.exe', 'net1.exe')
     AND (LOWER("CommandLine") LIKE '% view%' OR LOWER("CommandLine") LIKE '% share%'))
    OR (REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum|net share|net view)'))
    OR (LOWER("filename") = 'wmic.exe'
        AND REGEXP_MATCH(LOWER("CommandLine"), '(win32_share|\bshare\b)'))
    OR LOWER("filename") = 'nbtscan.exe'
    OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)'))
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon via QRadar DSM

Required Tables

events

False Positives

Network administrators using net view or net share routinely during shift handovers or troubleshooting sessions
Endpoint management platforms such as SCCM or Intune using WMI Win32_Share queries for compliance checks
Security scanners and vulnerability assessment tools querying SMB shares as part of authorized penetration testing

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventID=1
| parse regex field=Image "(?<proc_name>[^\\]+)$"
| parse regex field=ParentImage "(?<parent_proc_name>[^\\]+)$" nodrop
| eval proc_lower = toLowerCase(proc_name)
| eval cmd_lower = toLowerCase(CommandLine)
| where (
    (proc_lower in ("net.exe", "net1.exe") and (cmd_lower matches "* view*" or cmd_lower matches "* share*"))
    or (proc_lower in ("powershell.exe", "pwsh.exe") and (cmd_lower matches "*get-smbshare*" or cmd_lower matches "*win32_share*" or cmd_lower matches "*netshareenum*" or cmd_lower matches "*net share*" or cmd_lower matches "*net view*"))
    or (proc_lower = "wmic.exe" and (cmd_lower matches "*win32_share*" or cmd_lower matches "* share *"))
    or proc_lower = "nbtscan.exe"
    or ((cmd_lower matches "*crackmapexec*" or cmd_lower matches "* cme *") and (cmd_lower matches "* smb *" or cmd_lower matches "*--shares*"))
  )
| eval IsRemoteView = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* view*" and (cmd_lower matches "*\\\\*" or cmd_lower matches "*/all*"), 1, 0)
| eval IsLocalShare = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* share*" and !(cmd_lower matches "*add*" or cmd_lower matches "*delete*"), 1, 0)
| eval IsNetAllDomain = if(proc_lower in ("net.exe", "net1.exe") and cmd_lower matches "* view*" and cmd_lower matches "*/all*", 1, 0)
| eval IsPowerShellEnum = if(proc_lower in ("powershell.exe", "pwsh.exe") and (cmd_lower matches "*get-smbshare*" or cmd_lower matches "*win32_share*" or cmd_lower matches "*netshareenum*"), 1, 0)
| eval IsWmicEnum = if(proc_lower = "wmic.exe" and (cmd_lower matches "*win32_share*" or cmd_lower matches "* share *"), 1, 0)
| eval IsSuspiciousTool = if(proc_lower = "nbtscan.exe" or ((cmd_lower matches "*crackmapexec*" or cmd_lower matches "* cme *") and (cmd_lower matches "* smb *" or cmd_lower matches "*--shares*")), 1, 0)
| eval SuspicionScore = IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore
| sort by _messageTime desc

medium severity high confidence

Data Sources

Sysmon operational logs forwarded via Sumo Logic installed collector

Required Tables

_sourceCategory=windows/sysmon

False Positives

Helpdesk and IT operations staff using net view or net share to map drives or troubleshoot file access issues
Backup agents and data protection software querying available SMB shares before initiating backup jobs
Legitimate PowerShell DSC or auditing scripts using Get-SmbShare to produce inventory reports

Google Chronicle / SecOps

yaral

rule t1135_network_share_discovery {
  meta:
    author = "df00tech"
    description = "Detects network share discovery via net.exe/net1.exe, PowerShell WMI/SMB cmdlets, wmic.exe Win32_Share, nbtscan, and CrackMapExec --shares. Covers TTPs used by Conti, QakBot, Latrodectus, and APT39."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1135"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline
    (
      // net.exe / net1.exe view or share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)net1?\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)\bview\b`)
          or re.regex($e.target.process.command_line, `(?i)\bshare\b`)
        )
      )
      or
      // PowerShell SMB/WMI enumeration
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(get-smbshare|win32_share|netshareenum|net share|net view)`)
      )
      or
      // wmic Win32_Share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(win32_share|\bshare\b)`)
      )
      or
      // nbtscan
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)nbtscan\.exe$`)
      or
      // CrackMapExec SMB shares
      (
        re.regex($e.target.process.command_line, `(?i)(crackmapexec|\bcme\b)`)
        and re.regex($e.target.process.command_line, `(?i)(\bsmb\b|--shares)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM via Google Security Operations ingestion — Windows endpoint logs with Sysmon or EDR forwarding

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Systems administrators using net view or net share in login scripts or scheduled automation to map network drives
File server auditing tools or DLP solutions querying Win32_Share through WMI or PowerShell on a scheduled basis
Red team or authorized penetration testing engagements using CrackMapExec or nbtscan with documented scope

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| eval img_lower=lower(ImageFileName)
| eval cmd_lower=lower(CommandLine)
| where
    (
      // net.exe / net1.exe view or share - QakBot, Latrodectus, Kwampirs
      (match(img_lower, /\\net1?\.exe$/) and (match(cmd_lower, /\bview\b/) or match(cmd_lower, /\bshare\b/)))
      // PowerShell SMB / WMI share enumeration
      or (match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum|net share|net view)/))
      // wmic.exe Win32_Share
      or (match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/))
      // nbtscan - Tonto Team recon tool
      or match(img_lower, /\\nbtscan\.exe$/)
      // CrackMapExec SMB shares - APT39
      or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/))
    )
| eval IsRemoteView=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and (match(cmd_lower, /\\\\/) or match(cmd_lower, /\/all/)), 1, 0)
| eval IsLocalShare=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bshare\b/) and not(match(cmd_lower, /(add|delete)/)), 1, 0)
| eval IsNetAllDomain=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and match(cmd_lower, /\/all/), 1, 0)
| eval IsPowerShellEnum=if(match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum)/), 1, 0)
| eval IsWmicEnum=if(match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/), 1, 0)
| eval IsSuspiciousTool=if(match(img_lower, /\\nbtscan\.exe$/) or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/)), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore], function=count(as=EventCount))
| sort(SuspicionScore, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon sensor telemetry — ProcessRollup2 events from Windows endpoints

Required Tables

ProcessRollup2

False Positives

IT helpdesk personnel running net view to diagnose file share access problems for end users
Automated inventory scripts using PowerShell Get-SmbShare or wmic Win32_Share queries on file servers
Authorized red team assessments or penetration testers with documented scope using CrackMapExec or nbtscan against in-scope hosts

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Network Share Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections