File Share Enumeration

File Share Enumeration

Signs of File Share Enumeration

  • A host accesses a number of file shares significantly in excess of the number of file shares normally accessed in the network
  • The threat score is proportional to the diversity of shares being mounted with a higher threat score for larger number of shares across a few file servers vs. a small number of shares across many file servers
  • The certainty score is driven by the volume of shares mounted

Why Attackers Use File Share Enumeration

  • An attacker is looking for data to exfiltrate or is looking for files which provide additional information necessary for achieving the goals of the attack
  • The host is accessing a large number of file shares as an end user attempts to find a particular file or directory

Business Impact of File Share Enumeration

  • An enumeration of the available file shares in a network is an effective way for an attacker to find data to exfiltrate or data that helps further the attack
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

How to Investigate Signs of File Share Enumeration

  1. Ask the user of the host whether they have any knowledge of accessing the listed file shares
  2. Check the file server logs to see what files were accessed on the shares
  3. If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections