T1135 Elastic Security · Elastic

Detect Network Share Discovery in Elastic Security

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

MITRE ATT&CK

Tactic
Discovery
Technique
T1135 Network Share Discovery
Canonical reference
https://attack.mitre.org/techniques/T1135/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  (process.name in~ ("net.exe", "net1.exe") and
   (process.args : "view" or process.args : "share"))
  or
  (process.name in~ ("powershell.exe", "pwsh.exe") and
   process.command_line : ("*Get-SmbShare*", "*Win32_Share*", "*NetShareEnum*", "*net share*", "*net view*"))
  or
  (process.name == "wmic.exe" and
   process.command_line : ("*Win32_Share*", "*share*"))
  or
  process.name == "nbtscan.exe"
  or
  (process.command_line : ("*crackmapexec*", "*cme *") and
   process.command_line : ("*smb*", "*--shares*"))
)
medium severity high confidence

Detects network share discovery via net.exe/net1.exe view/share commands, PowerShell SMB/WMI enumeration (Get-SmbShare, Win32_Share, NetShareEnum), wmic.exe Win32_Share queries, nbtscan, and CrackMapExec SMB share enumeration. Covers TTPs used by Conti, QakBot, Latrodectus, and APT39.

Data Sources

Endpoint process telemetry via Elastic Agent or Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • IT administrators running net view or net share for inventory or troubleshooting purposes
  • Monitoring or asset management software (e.g., Lansweeper, SCCM) querying Win32_Share via WMI
  • PowerShell scripts in managed environments using Get-SmbShare for legitimate file server auditing
Download portable Sigma rule (.yml)

Other platforms for T1135

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Shares with net share

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.

  2. Test 2Enumerate All Domain Network Shares with net view /all

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.

  3. Test 3Query Specific Remote Host Shares via UNC Path

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.

  4. Test 4PowerShell WMI Network Share Enumeration via Win32_Share

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.

  5. Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1039Data from Network Shared DriveT1083File and Directory DiscoveryT1016System Network Configuration DiscoveryT1018Remote System DiscoveryT1087.002Domain AccountT1069.002Domain GroupsT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1074.002Remote Data Staging

Same Tactic: Discovery

Popular Detections