File Share Enumeration

File Share Enumeration

Detection overview

The "File Share Enumeration" detection identifies attempts by an internal or external actor to discover shared folders and files on networked systems. This activity is often a precursor to more malicious actions, such as data exfiltration, lateral movement, or privilege escalation, as attackers gather information about available resources and their access permissions.


  • A host accesses a number of file shares significantly in excess of the number of file shares normally accessed in the network

Possible Root Causes

  • An attacker is looking for data to exfiltrate or is looking for files which provide additional information necessary for achieving the goals of the attack
  • The host is accessing a large number of file shares as an end user attempts to find a particular file or directory

Business Impact

  • An enumeration of the available file shares in a network is an effective way for an attacker to find data to exfiltrate or data that helps further the attack
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  1. Ask the user of the host whether they have any knowledge of accessing the listed file shares
  2. Check the file server logs to see what files were accessed on the shares
  3. If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands
File Share Enumeration

Possible root causes

Malicious Detection

  • An attacker using automated tools or scripts to map out shared resources within the network.
  • Malware designed to enumerate file shares to locate sensitive data for exfiltration.
  • A compromised internal host being used to gather intelligence on available network shares.

Benign Detection

  • Network or IT administrators performing legitimate network audits or inventory checks.
  • Security assessments or penetration testing activities simulating file share enumeration.
  • Automated backup or synchronization processes that scan shared directories.
File Share Enumeration

Example scenarios

Scenario 1: An internal host generates multiple directory listing commands targeting various shared folders across the network. Investigation reveals that the host is compromised, and the attacker is mapping out available resources to identify sensitive data.

Scenario 2: A sudden increase in SMB traffic is detected, with multiple access attempts to administrative shares. Further analysis indicates that a security team was performing a scheduled network audit, causing the detection to trigger.

File Share Enumeration

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Data Exposure

File share enumeration can reveal sensitive or confidential information stored in network shares, leading to potential data breaches.

Increased Attack Surface

Knowledge of available shared resources can be used by attackers to plan further exploitation, such as lateral movement or privilege escalation.

Operational Disruption

Unauthorized access and potential tampering with shared files can disrupt business operations and lead to data integrity issues.

File Share Enumeration

Steps to investigate


What is File Share Enumeration?

File Share Enumeration involves discovering shared folders and files on networked systems, often used by attackers to gather information about available resources and their access permissions.

What are the common signs of File Share Enumeration?

Common signs include multiple directory listing commands, high SMB or NFS traffic, access attempts to hidden shares, and patterns of scanning for shared directories across multiple hosts.

Can legitimate software trigger this detection?

Yes, network audits, security assessments, administrative tasks, and automated backup processes can generate behavior resembling file share enumeration.

How does Vectra AI identify File Share Enumeration?

Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic and system behavior, identifying anomalies indicative of file share enumeration activities.

What is the business impact of File Share Enumeration?

It can lead to data exposure, increased attack surface, and operational disruption due to unauthorized access and tampering with shared files.

How can I detect File Share Enumeration in my network?

Detect File Share Enumeration by monitoring for directory listing commands, unusual access attempts to shared resources, high volumes of file sharing traffic, and attempts to access hidden or administrative shares.

Why is File Share Enumeration a significant threat?

It can reveal sensitive or confidential information, increase the attack surface for further exploitation, and disrupt business operations if unauthorized access and tampering occur.

What steps should I take if I detect File Share Enumeration?

Investigate the source and scope of the enumeration activity, check for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.

What tools can help verify the presence of File Share Enumeration?

Tools such as network traffic analysis, threat detection and response systems, and intrusion detection systems can help verify and investigate suspicious file share enumeration activities.

How can I prevent File Share Enumeration?

Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.