• A host accesses a number of file shares significantly in excess of the number of file shares normally accessed in the network

Possible Root Causes

  • An attacker is looking for data to exfiltrate or is looking for files which provide additional information necessary for achieving the goals of the attack
  • The host is accessing a large number of file shares as an end user attempts to find a particular file or directory

Business Impact

  • An enumeration of the available file shares in a network is an effective way for an attacker to find data to exfiltrate or data that helps further the attack
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  1. Ask the user of the host whether they have any knowledge of accessing the listed file shares
  2. Check the file server logs to see what files were accessed on the shares
  3. If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands