PowerShell Share Enumeration Script

About

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: DiscoveryTactic: CollectionTactic: ExecutionData Source: PowerShell LogsLanguage: kuery

Severity

high

Risk Score

73

MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

↳ Network Share Discovery (T1135)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

↳ Native API (T1106)(external, opens in a new tab or window)

Collection (TA0009)(external, opens in a new tab or window)

↳ Data from Network Shared Drive (T1039)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-windows.powershell*

Related Integrations

windows(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗event.category:process and host.os.type:windows and
  powershell.file.script_block_text:(
    "Invoke-ShareFinder" or
    "Invoke-ShareFinderThreaded" or
    (
      "shi1_netname" and
      "shi1_remark"
    ) or
    (
      "NetShareEnum" and
      "NetApiBufferFree"
    )
  ) and not user.id : "S-1-5-18"