PowerShell Share Enumeration via ShareFinder or Native APIs

This detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.

Attack Chain

1. An attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.
2. The attacker executes a PowerShell script, either directly or through a fileless execution method.
3. The PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.
4. The script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).
5. The attacker analyzes the identified shares to determine those that are accessible and contain valuable data.
6. The attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.
7. Once access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.
8. The ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.

Impact

Successful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced “Stolen Images” campaign led to Conti ransomware deployment, and the “Hunting for corporate insurance policies” post highlights data exfiltration.

Recommendation

• Enable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).
• Deploy the Sigma rule “PowerShell Share Enumeration Script via Invoke-ShareFinder” to your SIEM and tune for your environment.
• Deploy the Sigma rule “PowerShell Share Enumeration via NetShareEnum API” to detect share enumeration using native Windows APIs.
• Investigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).
• Review and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.