Detection: Windows File Share Discovery With Powerview

Date: 2023-05-02 ID: ec4f671e-c736-4f78-a4c0-8fe809e952e5 Author: Mauricio Velazco, Splunk Type: TTP Product: Splunk User Behavior Analytics

Description

The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer. Network file shares in Active Directory environments may contain sensitive information like backups, scripts, credentials, etc. Adversaries who have obtained a foothold in an AD network may leverage PowerView to identify secrets and leverage them for Privilege Escalation or Lateral Movement.

Annotations

No annotations available.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

Unknown

Associated Analytic Story

Active Directory Privilege Escalation

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Invoke-ShareFinder commandlet was executed on $Computer$	48	60	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Version: 4