Reconnaissance
File Share Enumeration
Detection overview
The "File Share Enumeration" detection identifies attempts by an internal or external actor to discover shared folders and files on networked systems. This activity is often a precursor to more malicious actions, such as data exfiltration, lateral movement, or privilege escalation, as attackers gather information about available resources and their access permissions.
Triggers
- A host accesses a number of file shares significantly in excess of the number of file shares normally accessed in the network
Possible Root Causes
- An attacker is looking for data to exfiltrate or is looking for files which provide additional information necessary for achieving the goals of the attack
- The host is accessing a large number of file shares as an end user attempts to find a particular file or directory
Business Impact
- An enumeration of the available file shares in a network is an effective way for an attacker to find data to exfiltrate or data that helps further the attack
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Ask the user of the host whether they have any knowledge of accessing the listed file shares
- Check the file server logs to see what files were accessed on the shares
- If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands
File Share Enumeration
Possible root causes
Malicious Detection
- An attacker using automated tools or scripts to map out shared resources within the network.
- Malware designed to enumerate file shares to locate sensitive data for exfiltration.
- A compromised internal host being used to gather intelligence on available network shares.
Benign Detection
- Network or IT administrators performing legitimate network audits or inventory checks.
- Security assessments or penetration testing activities simulating file share enumeration.
- Automated backup or synchronization processes that scan shared directories.
File Share Enumeration
Example scenarios
Scenario 1: An internal host generates multiple directory listing commands targeting various shared folders across the network. Investigation reveals that the host is compromised, and the attacker is mapping out available resources to identify sensitive data.
Scenario 2: A sudden increase in SMB traffic is detected, with multiple access attempts to administrative shares. Further analysis indicates that a security team was performing a scheduled network audit, causing the detection to trigger.
File Share Enumeration
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Exposure
File share enumeration can reveal sensitive or confidential information stored in network shares, leading to potential data breaches.
Increased Attack Surface
Knowledge of available shared resources can be used by attackers to plan further exploitation, such as lateral movement or privilege escalation.
Operational Disruption
Unauthorized access and potential tampering with shared files can disrupt business operations and lead to data integrity issues.
File Share Enumeration
Steps to investigate
Analyze Network Traffic Logs
Review logs for patterns of directory listing commands and access attempts to shared resources. Focus on identifying the source of the enumeration activity.
Identify the Source
Determine the internal or external host generating the enumeration traffic. Verify if the source is authorized to perform such actions.
Check for Associated Activity
Look for other signs of compromise or related suspicious behavior, such as malware alerts, unusual login attempts, or unauthorized data access.
Consult with IT and Security Teams
Confirm if any authorized network audits, security assessments, or administrative tasks could explain the detected enumeration activity.
File Share Enumeration
MITRE ATT&CK techniques covered
File Share Enumeration
Related detections
FAQs
What is File Share Enumeration?
File Share Enumeration involves discovering shared folders and files on networked systems, often used by attackers to gather information about available resources and their access permissions.
How can I detect File Share Enumeration in my network?
Detect File Share Enumeration by monitoring for directory listing commands, unusual access attempts to shared resources, high volumes of file sharing traffic, and attempts to access hidden or administrative shares.
What are the common signs of File Share Enumeration?
Common signs include multiple directory listing commands, high SMB or NFS traffic, access attempts to hidden shares, and patterns of scanning for shared directories across multiple hosts.
Why is File Share Enumeration a significant threat?
It can reveal sensitive or confidential information, increase the attack surface for further exploitation, and disrupt business operations if unauthorized access and tampering occur.
Can legitimate software trigger this detection?
Yes, network audits, security assessments, administrative tasks, and automated backup processes can generate behavior resembling file share enumeration.
What steps should I take if I detect File Share Enumeration?
Investigate the source and scope of the enumeration activity, check for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.
How does Vectra AI identify File Share Enumeration?
Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic and system behavior, identifying anomalies indicative of file share enumeration activities.
What tools can help verify the presence of File Share Enumeration?
Tools such as network traffic analysis, threat detection and response systems, and intrusion detection systems can help verify and investigate suspicious file share enumeration activities.
What is the business impact of File Share Enumeration?
It can lead to data exposure, increased attack surface, and operational disruption due to unauthorized access and tampering with shared files.
How can I prevent File Share Enumeration?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.