T1135 Splunk · SPL

Detect Network Share Discovery in Splunk

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for SMB services. Adversaries including Conti, BlackByte, Medusa, Latrodectus, QakBot, and Cuba have all leveraged network share discovery as a precursor to lateral movement, ransomware staging, and data collection operations, frequently calling NetShareEnum() directly or through net.exe wrappers.

MITRE ATT&CK

Tactic
Discovery
Technique
T1135 Network Share Discovery
Canonical reference
https://attack.mitre.org/techniques/T1135/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval img=lower(Image), cmdl=lower(CommandLine)
| where (
    (match(img, "\\\\net(1)?\\.exe$") AND (match(cmdl, "\\bview\\b") OR match(cmdl, "\\bshare\\b")))
    OR (match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"))
    OR (match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"))
    OR match(img, "\\\\nbtscan\\.exe$")
    OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)"))
)
| eval IsRemoteView=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND (match(cmdl, "\\\\\\\\") OR match(cmdl, "/all")), 1, 0)
| eval IsLocalShare=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bshare\\b") AND NOT match(cmdl, "(add|delete)"), 1, 0)
| eval IsNetAllDomain=if(match(img, "\\\\net(1)?\\.exe$") AND match(cmdl, "\\bview\\b") AND match(cmdl, "/all"), 1, 0)
| eval IsPowerShellEnum=if(match(img, "\\\\(powershell|pwsh)\\.exe$") AND match(cmdl, "(get-smbshare|win32_share|netshareenum)"), 1, 0)
| eval IsWmicEnum=if(match(img, "\\\\wmic\\.exe$") AND match(cmdl, "(win32_share|\\bshare\\b)"), 1, 0)
| eval IsSuspiciousTool=if(match(img, "\\\\nbtscan\\.exe$") OR (match(cmdl, "(crackmapexec|\\bcme\\b)") AND match(cmdl, "(\\bsmb\\b|--shares)")), 1, 0)
| eval SuspicionScore=IsRemoteView + IsLocalShare + IsNetAllDomain + IsPowerShellEnum + IsWmicEnum + IsSuspiciousTool
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, IsRemoteView, IsLocalShare, IsNetAllDomain, IsPowerShellEnum, IsWmicEnum, IsSuspiciousTool, SuspicionScore
| sort - _time
medium severity high confidence

Detects network share discovery using Sysmon Event ID 1 (Process Creation) logs. Evaluates lowercased command lines for net.exe/net1.exe view and share subcommands (including UNC paths and /all domain-wide variants), PowerShell SMB and WMI enumeration, wmic.exe share queries, NBTscan, and CrackMapExec with SMB flags. Assigns a cumulative suspicion score to help analysts prioritize: domain-wide or remote enumeration and offensive tooling score highest.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT administrators running net view or net share during legitimate network inventory, troubleshooting, or helpdesk work
  • Backup agents and monitoring tools querying local or remote shares on a scheduled basis (e.g., Veeam, Backup Exec, SolarWinds Network Performance Monitor)
  • Vulnerability scanners and asset management platforms (Nessus, Qualys, Lansweeper) performing scheduled share enumeration as part of network discovery scans
  • SCCM distribution point or DFS replication health checks that enumerate available shares on managed servers
  • Developers or DevOps engineers using PowerShell Get-SmbShare or WMI to configure, validate, or document share permissions
Download portable Sigma rule (.yml)

Other platforms for T1135

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Local Shares with net share

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe (or net1.exe), CommandLine='net share', ParentImage=cmd.exe or powershell.exe. Security Event ID 4688 if command line auditing is enabled via GPO.

  2. Test 2Enumerate All Domain Network Shares with net view /all

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine='net view /all /domain'. Sysmon Event ID 3: Multiple outbound SMB connections (port 445) to domain controllers and other hosts. Windows Security Event ID 5145 on accessed servers for each share access check. DNS queries for domain host resolution.

  3. Test 3Query Specific Remote Host Shares via UNC Path

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'net view \\\\' followed by the resolved hostname. Sysmon Event ID 3: SMB connection to the target host on port 445. Windows Security Event ID 5140 and 5145 on the target host recording the source account and enumerated share names.

  4. Test 4PowerShell WMI Network Share Enumeration via Win32_Share

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Win32_Share'. PowerShell ScriptBlock Log Event ID 4104 with the full WMI query and returned share objects. Module load events (Sysmon Event ID 7) for WMI-related DLLs.

  5. Test 5SMB Share Enumeration via PowerShell Get-SmbShare Cmdlet

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-SmbShare'. PowerShell ScriptBlock Log Event ID 4104 with the full cmdlet invocation and output. Sysmon Event ID 7: Module load for SmbShare module DLLs (Microsoft.SMBServer.*).

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1135 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1021.002SMB/Windows Admin SharesT1039Data from Network Shared DriveT1083File and Directory DiscoveryT1016System Network Configuration DiscoveryT1018Remote System DiscoveryT1087.002Domain AccountT1069.002Domain GroupsT1570Lateral Tool TransferT1486Data Encrypted for ImpactT1074.002Remote Data Staging

Same Tactic: Discovery

Popular Detections