{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/share-enumeration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["discovery","powershell","share-enumeration","lateral-movement","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts utilizing ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or native Windows API calls for share enumeration. These techniques are commonly used by attackers to map accessible network shares within an environment. This reconnaissance is often a precursor to data collection, lateral movement, or the deployment of ransomware. The activity is detected via script block logging, and focuses on identifying specific function calls and API usage within the PowerShell script content. Defenders should be aware of this activity, particularly when performed by unexpected users or on unusual systems, as it may indicate malicious reconnaissance within the network. The references indicate that this activity can lead to corporate insurance policy exfiltration or Conti ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, potentially through phishing or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script, either directly or through a fileless execution method.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script utilizes ShareFinder functions (Invoke-ShareFinder, Invoke-ShareFinderThreaded) or Windows share enumeration APIs (NetShareEnum, NetApiBufferFree) to discover network shares.\u003c/li\u003e\n\u003cli\u003eThe script identifies accessible network shares by leveraging API calls and parsing the results for share names (shi1_netname) and remarks (shi1_remark).\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the identified shares to determine those that are accessible and contain valuable data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to access these shares using compromised credentials or exploiting existing vulnerabilities.\u003c/li\u003e\n\u003cli\u003eOnce access is gained, the attacker may collect sensitive data from the shares, move laterally to other systems, or deploy ransomware.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is data exfiltration, system compromise, or financial gain through ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this reconnaissance technique can lead to significant data breaches, lateral movement within the network, and potential ransomware deployment. Organizations that fail to detect and prevent share enumeration may suffer financial losses, reputational damage, and operational disruption. The referenced \u0026ldquo;Stolen Images\u0026rdquo; campaign led to Conti ransomware deployment, and the \u0026ldquo;Hunting for corporate insurance policies\u0026rdquo; post highlights data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell script block logging to capture the necessary events for detection (as referenced in the rule setup).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration Script via Invoke-ShareFinder\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Share Enumeration via NetShareEnum API\u0026rdquo; to detect share enumeration using native Windows APIs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the PowerShell launch context and the scope of the share discovery (see triage steps in the original rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict PowerShell execution policies to prevent unauthorized script execution, especially from user-writable locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-09-powershell-share-enumeration/","summary":"Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.","title":"PowerShell Share Enumeration via ShareFinder or Native APIs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-powershell-share-enumeration/"}],"language":"en","title":"CraftedSignal Threat Feed — Share-Enumeration","version":"https://jsonfeed.org/version/1.1"}