kqlElastic-2.0from elastic/detection-rules

PowerShell Share Enumeration Script

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1135 T1059 T1059.001 T1106 T1039

Rule sourcerules/windows/discovery_posh_invoke_sharefinder.toml

event.category:process and host.os.type:windows and
  powershell.file.script_block_text:(
    "Invoke-ShareFinder" or
    "Invoke-ShareFinderThreaded" or
    (
      "shi1_netname" and
      "shi1_remark"
    ) or
    (
      "NetShareEnum" and
      "NetApiBufferFree"
    )
  ) and not user.id : "S-1-5-18"