ShareFinder: How Threat Actors Discover File Shares - The DFIR Report
Tags
attack-pattern: Data Network Topology - T1590.004 Powershell - T1059.001 Python - T1059.006 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Network Share Discovery - T1135 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID 5a474cad-2633-4002-b49e-ac65a5ce0dd2
Fingerprint b46043ddc0bb8185
Analysis status DONE
Considered CTI value 0
Text language
Published Jan. 23, 2023, 1:11 a.m.
Added to db Nov. 19, 2023, 1:09 a.m.
Last updated Nov. 17, 2024, 11:40 p.m.
Headline ShareFinder: How Threat Actors Discover File Shares
Title ShareFinder: How Threat Actors Discover File Shares - The DFIR Report
Detected Hints/Tags/Attributes 56/1/14
Source URLs
Redirection Url
Details Source https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/
URL Provider
Details Provider Source level domain
Details thedfirreport.com thedfirreport.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 249 The DFIR Report https://thedfirreport.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 74 
thedfirreport.com
Details Domain 4128 
github.com
Details File 3 
c:\programdata\shares.txt
Details Github username 5 
p0dalirius
Details Github username 1 
tevora-threat
Details IPv4 1441 
127.0.0.1
Details Url 2 
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware
Details Url 1 
https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter
Details Url 1 
https://thedfirreport.com/2022/09/26/bumblebee-round-two
Details Url 2 
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin
Details Url 3 
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Details Url 1 
http://127.0.0.1:10966
Details Url 1 
https://github.com/p0dalirius/finduncommonshares
Details Url 1 
https://github.com/tevora-threat/sharpview