T1135 CrowdStrike LogScale · LogScale

Detect Network Share Discovery in CrowdStrike LogScale

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

MITRE ATT&CK

Tactic
Discovery
Technique
T1135 Network Share Discovery
Canonical reference
https://attack.mitre.org/techniques/T1135/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| eval img_lower=lower(ImageFileName)
| eval cmd_lower=lower(CommandLine)
| where
    (
      // net.exe / net1.exe view or share - QakBot, Latrodectus, Kwampirs
      (match(img_lower, /\\net1?\.exe$/) and (match(cmd_lower, /\bview\b/) or match(cmd_lower, /\bshare\b/)))
      // PowerShell SMB / WMI share enumeration
      or (match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum|net share|net view)/))
      // wmic.exe Win32_Share
      or (match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/))
      // nbtscan - Tonto Team recon tool
      or match(img_lower, /\\nbtscan\.exe$/)
      // CrackMapExec SMB shares - APT39
      or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/))
    )
| eval IsRemoteView=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and (match(cmd_lower, /\\\\/) or match(cmd_lower, /\/all/)), 1, 0)
| eval IsLocalShare=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bshare\b/) and not(match(cmd_lower, /(add|delete)/)), 1, 0)
| eval IsNetAllDomain=if(match(img_lower, /\\net1?\.exe$/) and match(cmd_lower, /\bview\b/) and match(cmd_lower, /\/all/), 1, 0)
| eval IsPowerShellEnum=if(match(img_lower, /\\(powershell|pwsh)\.exe$/) and match(cmd_lower, /(get-smbshare|win32_share|netshareenum)/), 1, 0)
| eval IsWmicEnum=if(match(img_lower, /\\wmic\.exe$/) and match(cmd_lower, /(win32_share|\bshare\b)/), 1, 0)
| eval IsSuspiciousTool=if(match(img_lower, /\\nbtscan\.exe$/) or (match(cmd_lower, /(crackmapexec|\bcme\b)/) and match(cmd_lower, /(\bsmb\b|--shares)/)), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore], function=count(as=EventCount))
| sort(SuspicionScore, order=desc)
medium severity high confidence

CrowdStrike LogScale (CQL) query targeting ProcessRollup2 events to detect network share discovery via net.exe/net1.exe view and share subcommands, PowerShell Get-SmbShare/Win32_Share/NetShareEnum, wmic.exe Win32_Share queries, nbtscan, and CrackMapExec SMB share enumeration. Results are grouped and scored by detection subtype for analyst triage.

Data Sources

CrowdStrike Falcon sensor telemetry — ProcessRollup2 events from Windows endpoints

Required Tables

ProcessRollup2

False Positives & Tuning

  • IT helpdesk personnel running net view to diagnose file share access problems for end users
  • Automated inventory scripts using PowerShell Get-SmbShare or wmic Win32_Share queries on file servers
  • Authorized red team assessments or penetration testers with documented scope using CrackMapExec or nbtscan against in-scope hosts
Download portable Sigma rule (.yml)

Other platforms for T1135

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Shares with net share

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.

  2. Test 2Enumerate All Domain Network Shares with net view /all

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.

  3. Test 3Query Specific Remote Host Shares via UNC Path

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.

  4. Test 4PowerShell WMI Network Share Enumeration via Win32_Share

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.

  5. Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1039Data from Network Shared DriveT1083File and Directory DiscoveryT1016System Network Configuration DiscoveryT1018Remote System DiscoveryT1087.002Domain AccountT1069.002Domain GroupsT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1074.002Remote Data Staging

Same Tactic: Discovery

Popular Detections