title: Taint Shared Content (T1080)
id: df00tech-t1080
status: experimental
description: "Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Variants include the directory share pivot (planting malicious .LNK files that masquerade as legitimate directories), binary infection (prepending or appending code to legitimate executables on shares), and Office document macro injection (as seen with Gamaredon Group). Threat actors including Conti, Ursnif, Ramsay, InvisiMole, and RedCurl have all leveraged this technique for lateral movement."
references:
  - https://attack.mitre.org/techniques/T1080/
  - https://df00tech.com/detections/T1080
author: df00tech
date: 2026/04/13
tags:
  - attack.t1080
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software deployment via SCCM or PDQ Deploy copying installation packages (.exe, .msi) to deployment shares"
  - Backup agents or robocopy jobs replicating executables to archive network shares
  - "IT administrators legitimately copying scripts (.ps1, .bat) to shared script repositories or SYSVOL for GPO deployment"
  - Antivirus or EDR updates propagating via network share to air-gapped or slow-update endpoints
  - DFS replication (DFSR) synchronizing executables and documents across site shares
  - Development teams pushing compiled binaries to network-accessible build output directories
level: high