T1135 IBM QRadar · QRadar

Detect Network Share Discovery in IBM QRadar

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

MITRE ATT&CK

Tactic
Discovery
Technique
T1135 Network Share Discovery
Canonical reference
https://attack.mitre.org/techniques/T1135/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "filename" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND (LOWER("CommandLine") LIKE '%\\\\%' OR LOWER("CommandLine") LIKE '%/all%') THEN 1
    ELSE 0
  END AS is_remote_view,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% share%'
         AND LOWER("CommandLine") NOT LIKE '%add%' AND LOWER("CommandLine") NOT LIKE '%delete%' THEN 1
    ELSE 0
  END AS is_local_share,
  CASE
    WHEN LOWER("filename") IN ('net.exe', 'net1.exe') AND LOWER("CommandLine") LIKE '% view%'
         AND LOWER("CommandLine") LIKE '%/all%' THEN 1
    ELSE 0
  END AS is_net_all_domain,
  CASE
    WHEN REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
         AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum)') THEN 1
    ELSE 0
  END AS is_powershell_enum,
  CASE
    WHEN LOWER("filename") = 'nbtscan.exe'
         OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
             AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)')) THEN 1
    ELSE 0
  END AS is_suspicious_tool
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 352)
  AND QIDNAME(qid) LIKE '%Process%'
  AND (
    (LOWER("filename") IN ('net.exe', 'net1.exe')
     AND (LOWER("CommandLine") LIKE '% view%' OR LOWER("CommandLine") LIKE '% share%'))
    OR (REGEXP_MATCH(LOWER("filename"), '(powershell|pwsh)\.exe')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(get-smbshare|win32_share|netshareenum|net share|net view)'))
    OR (LOWER("filename") = 'wmic.exe'
        AND REGEXP_MATCH(LOWER("CommandLine"), '(win32_share|\bshare\b)'))
    OR LOWER("filename") = 'nbtscan.exe'
    OR (REGEXP_MATCH(LOWER("CommandLine"), '(crackmapexec|\bcme\b)')
        AND REGEXP_MATCH(LOWER("CommandLine"), '(\bsmb\b|--shares)'))
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LIMIT 500
medium severity medium confidence

AQL query targeting Windows process creation events from Sysmon (LOGSOURCETYPEID 352) and WinEventLog (LOGSOURCETYPEID 12) to identify network share discovery via net.exe, net1.exe, PowerShell WMI/SMB cmdlets, wmic.exe Win32_Share queries, nbtscan, and CrackMapExec SMB enumeration. Classifies each match by discovery subtype.

Data Sources

Microsoft Windows Security Event LogSysmon via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Network administrators using net view or net share routinely during shift handovers or troubleshooting sessions
  • Endpoint management platforms such as SCCM or Intune using WMI Win32_Share queries for compliance checks
  • Security scanners and vulnerability assessment tools querying SMB shares as part of authorized penetration testing
Download portable Sigma rule (.yml)

Other platforms for T1135

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Shares with net share

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.

  2. Test 2Enumerate All Domain Network Shares with net view /all

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.

  3. Test 3Query Specific Remote Host Shares via UNC Path

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.

  4. Test 4PowerShell WMI Network Share Enumeration via Win32_Share

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.

  5. Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1039Data from Network Shared DriveT1083File and Directory DiscoveryT1016System Network Configuration DiscoveryT1018Remote System DiscoveryT1087.002Domain AccountT1069.002Domain GroupsT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1074.002Remote Data Staging

Same Tactic: Discovery

Popular Detections