T1039
Data from Network Shared Drive
Description from ATT&CK
Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
Atomic Tests
- Atomic Test #1: Copy a sensitive File over Administrative share with copy
- Atomic Test #2: Copy a sensitive File over Administrative share with Powershell
Atomic Test #1: Copy a sensitive File over Administrative share with copy
Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: Windows
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote | Remote server name | string | 127.0.0.1 |
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password |
| local_file | Local name | string | Easter_egg.password |
Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}Cleanup Commands
del \\#{remote}\C$\#{share_file}
del %TEMP%\#{local_file}Dependencies: Run with powershell!
Description: Administrative share must exist on #{remote}
Check Prereq Commands
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}Get Prereq Commands
Write-Host 'Please Enable "C$" share on #{remote}'Description: "\#{remote}\C$#{share_file}" must exist on #{remote}
Check Prereq Commands
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}Get Prereq Commands
Out-File -FilePath "\\#{remote}\C$\#{share_file}"Atomic Test #2: Copy a sensitive File over Administrative share with Powershell
Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073
Supported Platforms: Windows
auto_generated_guid: 7762e120-5879-44ff-97f8-008b401b9a98
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote | Remote server name | string | 127.0.0.1 |
| share_file | Remote Path to the file | path | Windows\temp\Easter_Bunny.password |
| local_file | Local name | string | Easter_egg.password |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"Cleanup Commands
Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"Dependencies: Run with powershell!
Description: Administrative share must exist on #{remote}
Check Prereq Commands
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}Get Prereq Commands
Write-Host 'Please Enable "C$" share on #{remote}'Description: "\#{remote}\C$#{share_file}" must exist on #{remote}
Check Prereq Commands
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}Get Prereq Commands
Out-File -FilePath "\\#{remote}\C$\#{share_file}"Atomic test(s) for this technique last updated: 2023-05-31 20:50:22 UTC