CircleCI Atomic Red Team doc generator
96 lines
3.0 KiB
Markdown
96 lines
3.0 KiB
Markdown
# T1135 - Network Share Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1135)
|
|
<blockquote>Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
|
|
|
|
### Windows
|
|
|
|
File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder)
|
|
|
|
[Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>.
|
|
|
|
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
|
|
|
|
### Mac
|
|
|
|
On Mac, locally mounted shares can be viewed with the <code>df -aH</code> command.
|
|
|
|
### Cloud
|
|
|
|
Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Network Share Discovery](#atomic-test-1---network-share-discovery)
|
|
|
|
- [Atomic Test #2 - Network Share Discovery command prompt](#atomic-test-2---network-share-discovery-command-prompt)
|
|
|
|
- [Atomic Test #3 - Network Share Discovery PowerShell](#atomic-test-3---network-share-discovery-powershell)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Network Share Discovery
|
|
Network Share Discovery
|
|
|
|
**Supported Platforms:** macOS, Linux
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| computer_name | Computer name to find a mount on. | string | computer1|
|
|
|
|
#### Run it with `sh`!
|
|
```
|
|
df -aH
|
|
smbutil view -g //#{computer_name}
|
|
showmount #{computer_name}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Network Share Discovery command prompt
|
|
Network Share Discovery utilizing the command prompt
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| computer_name | Computer name to find a mount on. | string | computer1|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
net view \\#{computer_name}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Network Share Discovery PowerShell
|
|
Network Share Discovery utilizing PowerShell
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| computer_name | Computer name to find a mount on. | string | computer1|
|
|
|
|
#### Run it with `powershell`!
|
|
```
|
|
net view \\#{computer_name}
|
|
get-smbshare -Name #{computer_name}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|