title: Data from Network Shared Drive (T1039) id: df00tech-t1039 status: experimental description: "Adversaries may search network shares on compromised systems to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to exfiltration. Threat actors including APT28, RedCurl, Gamaredon Group, menuPass, Chimera, and BRONZE BUTLER have leveraged this technique using tools such as net use, Robocopy, xcopy, and custom malware to enumerate and bulk-copy documents, configuration files, and credentials from accessible SMB shares." references: - https://attack.mitre.org/techniques/T1039/ - https://df00tech.com/detections/T1039 author: df00tech date: 2026/04/16 tags: - attack.t1039 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Backup agents (Veeam, Commvault, Windows Server Backup) performing scheduled backups from network shares — typically run as a service account during off-hours windows" - "DLP or data classification tools (Varonis, Spirion, Microsoft Purview) scanning network shares during inventory runs — generates high FileCount against many share paths" - "IT administrators using Robocopy or xcopy for legitimate data migration, server decommission, or disaster recovery operations with pre-approved change tickets" - "File synchronization clients (OneDrive, SharePoint sync, Dropbox Business) that mount SMB shares and perform bulk reads for sync operations" - Antivirus or EDR agents performing full scan of network-accessible paths — parent process will be a security product executable - "Software deployment tools (SCCM, Intune) accessing distribution point shares to cache or distribute software packages" level: high