T1135 Google Chronicle · YARA-L

Detect Network Share Discovery in Google Chronicle

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

MITRE ATT&CK

Tactic
Discovery
Technique
T1135 Network Share Discovery
Canonical reference
https://attack.mitre.org/techniques/T1135/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1135_network_share_discovery {
  meta:
    author = "df00tech"
    description = "Detects network share discovery via net.exe/net1.exe, PowerShell WMI/SMB cmdlets, wmic.exe Win32_Share, nbtscan, and CrackMapExec --shares. Covers TTPs used by Conti, QakBot, Latrodectus, and APT39."
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1135"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmdline
    (
      // net.exe / net1.exe view or share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)net1?\.exe$`)
        and (
          re.regex($e.target.process.command_line, `(?i)\bview\b`)
          or re.regex($e.target.process.command_line, `(?i)\bshare\b`)
        )
      )
      or
      // PowerShell SMB/WMI enumeration
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(get-smbshare|win32_share|netshareenum|net share|net view)`)
      )
      or
      // wmic Win32_Share
      (
        re.regex($e.target.process.file.full_path, `(?i)(\\|/)wmic\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(win32_share|\bshare\b)`)
      )
      or
      // nbtscan
      re.regex($e.target.process.file.full_path, `(?i)(\\|/)nbtscan\.exe$`)
      or
      // CrackMapExec SMB shares
      (
        re.regex($e.target.process.command_line, `(?i)(crackmapexec|\bcme\b)`)
        and re.regex($e.target.process.command_line, `(?i)(\bsmb\b|--shares)`)
      )
    )

  condition:
    $e
}
medium severity high confidence

YARA-L 2.0 rule for Google Chronicle that matches PROCESS_LAUNCH UDM events where the target process is net.exe, net1.exe (with view or share subcommands), powershell.exe or pwsh.exe (with Get-SmbShare, Win32_Share, or NetShareEnum), wmic.exe querying Win32_Share, nbtscan.exe, or CrackMapExec with SMB share flags. Maps to MITRE ATT&CK T1135.

Data Sources

Chronicle UDM via Google Security Operations ingestion — Windows endpoint logs with Sysmon or EDR forwarding

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives & Tuning

  • Systems administrators using net view or net share in login scripts or scheduled automation to map network drives
  • File server auditing tools or DLP solutions querying Win32_Share through WMI or PowerShell on a scheduled basis
  • Red team or authorized penetration testing engagements using CrackMapExec or nbtscan with documented scope
Download portable Sigma rule (.yml)

Other platforms for T1135

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Shares with net share

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.

  2. Test 2Enumerate All Domain Network Shares with net view /all

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.

  3. Test 3Query Specific Remote Host Shares via UNC Path

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.

  4. Test 4PowerShell WMI Network Share Enumeration via Win32_Share

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.

  5. Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1039Data from Network Shared DriveT1083File and Directory DiscoveryT1016System Network Configuration DiscoveryT1018Remote System DiscoveryT1087.002Domain AccountT1069.002Domain GroupsT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1074.002Remote Data Staging

Same Tactic: Discovery

Popular Detections