T1039
Data from Network Shared Drive
Description from ATT&CK
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Atomic Tests
Atomic Test #1 - Copy a sensitive File over Administive share with copy
Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: windows
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote | Remote server name | string | 127.0.0.1 |
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password |
| local_file | Local name | string | Easter_egg.password |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
1
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
Cleanup Commands:
1
2
del \\#{remote}\C$\#{share_file}
del %TEMP%\#{local_file}
Dependencies: Run with powershell!
Description: Administrative share must exist on #{remote}
Check Prereq Commands:
1
2
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Write-Host 'Please Enable "C$" share on #{remote}'
Description: "\#{remote}\C$#{share_file}" must exist on #{remote}
Check Prereq Commands:
1
2
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
Atomic Test #2 - Copy a sensitive File over Administive share with Powershell
Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: windows
auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote | Remote server name | string | 127.0.0.1 |
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password |
| local_file | Local name | string | Easter_egg.password |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
Cleanup Commands:
1
2
Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"
Dependencies: Run with powershell!
Description: Administrative share must exist on #{remote}
Check Prereq Commands:
1
2
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Write-Host 'Please Enable "C$" share on #{remote}'
Description: "\#{remote}\C$#{share_file}" must exist on #{remote}
Check Prereq Commands:
1
2
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Out-File -FilePath "\\#{remote}\C$\#{share_file}"