← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Get Information for SMB Share - PowerShell Module

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1069.001
Rule sourcerules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml
title: Suspicious Get Information for SMB Share - PowerShell Module
id: 6942bd25-5970-40ab-af49-944247103358
status: test
description: |
    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
    to identify potential systems of interest for Lateral Movement.
    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-02
tags:
    - attack.discovery
    - attack.t1069.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        - Payload|contains: get-smbshare
        - ContextInfo|contains: get-smbshare
    condition: selection
falsepositives:
    - Administrator script
level: low