splApache-2.0from splunk/security_content

Windows File Share Discovery With Powerview

The following analytic detects the execution of the Invoke-ShareFinder PowerShell cmdlet from PowerView. This detection leverages PowerShell Script Block Logging to identify instances where this specific command is executed. Monitoring this activity is crucial as it indicates an attempt to enumerate network file shares, which may contain sensitive information such as backups, scripts, and credentials. If confirmed malicious, this activity could enable an attacker to escalate privileges or move laterally within the network, potentially compromising additional systems and sensitive data.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_file_share_discovery_with_powerview.yml

`powershell` EventCode=4104  (ScriptBlockText=Invoke-ShareFinder*)
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_file_share_discovery_with_powerview_filter`