T1039 - Data from Network Shared Drive
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
Atomic Tests
Atomic Test #1 - Copy a sensitive File over Administrative share with copy
Copy from sensitive File from the c$ of another LAN computer with copy cmd
https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: Windows
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| remote | Remote server name | string | 127.0.0.1|
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password|
| local_file | Local name | string | Easter_egg.password|
Attack Commands: Run with
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
Cleanup Commands:
del \\#{remote}\C$\#{share_file}
del %TEMP%\#{local_file}
Dependencies: Run with
Description: Administrative share must exist on #{remote}
Check Prereq Commands:
1
| if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| Write-Host 'Please Enable "C$" share on #{remote}'
|
Description: “\#{remote}\C$#{share_file}” must exist on #{remote}
Check Prereq Commands:
1
| if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| Out-File -FilePath "\\#{remote}\C$\#{share_file}"
|
Atomic Test #2 - Copy a sensitive File over Administrative share with Powershell
Copy from sensitive File from the c$ of another LAN computer with powershell
https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: Windows
auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| remote | Remote server name | string | 127.0.0.1|
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password|
| local_file | Local name | string | Easter_egg.password|
Attack Commands: Run with
1
| copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
|
Cleanup Commands:
1
2
| Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"
|
Dependencies: Run with
Description: Administrative share must exist on #{remote}
Check Prereq Commands:
1
| if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| Write-Host 'Please Enable "C$" share on #{remote}'
|
Description: “\#{remote}\C$#{share_file}” must exist on #{remote}
Check Prereq Commands:
1
| if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| Out-File -FilePath "\\#{remote}\C$\#{share_file}"
|