Signs of File Share Enumeration
- A host accesses a number of file shares significantly in excess of the number of file shares normally accessed in the network
- The threat score is proportional to the diversity of shares being mounted with a higher threat score for larger number of shares across a few file servers vs. a small number of shares across many file servers
- The certainty score is driven by the volume of shares mounted
Why Attackers Use File Share Enumeration
- An attacker is looking for data to exfiltrate or is looking for files which provide additional information necessary for achieving the goals of the attack
- The host is accessing a large number of file shares as an end user attempts to find a particular file or directory
Business Impact of File Share Enumeration
- An enumeration of the available file shares in a network is an effective way for an attacker to find data to exfiltrate or data that helps further the attack
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
How to Investigate Signs of File Share Enumeration
- Ask the user of the host whether they have any knowledge of accessing the listed file shares
- Check the file server logs to see what files were accessed on the shares
- If the file share access continues and remains unexplained, determine which process on the internal host is accessing the file shares; in Windows systems, this can be done using a combination of netstat and tasklist commands
