Detectionlowtest

Suspicious Get Information for SMB Share - PowerShell Module

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Dec 15Updated Fri Dec 026942bd25-5970-40ab-af49-944247103358windows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection:
        - Payload|contains: get-smbshare
        - ContextInfo|contains: get-smbshare
    condition: selection

False Positives

Administrator script

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0007 · Discovery

Sub-techniques

T1069.001 · Local Groups

Rule Metadata

Rule ID

6942bd25-5970-40ab-af49-944247103358

Status

test

Level

low

Type

Detection

Created

Wed Dec 15

Modified

Fri Dec 02

Author

François Hubaut

Path

rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml

Raw Tags

attack.discoveryattack.t1069.001

View on GitHub