Ctrl+K

T1039 - Data from Network Shared Drive

T1039 - Data from Network Shared Drive#

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Atomic Tests#

Atomic Test #1 - Copy a sensitive File over Administrative share with copy#

Copy from sensitive File from the c$ of another LAN computer with copy cmd https://twitter.com/SBousseaden/status/1211636381086339073 Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with powershell!#

Description: Administrative share must exist on #{remote}#
Check Prereq Commands:#
if (Test-Path "\\127.0.0.1\C$") {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host 'Please Enable "C$" share on 127.0.0.1'
Description: “\#{remote}\C$#{share_file}” must exist on #{remote}#
Check Prereq Commands:#
if (Test-Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password") {exit 0} else {exit 1}
Get Prereq Commands:#
Out-File -FilePath "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password"


Invoke-AtomicTest T1039 -TestNumbers 1 -GetPreReqs

Attack Commands: Run with command_prompt#

copy \\127.0.0.1\C$\Windows\temp\Easter_Bunny.password %TEMP%\Easter_egg.password```

Invoke-AtomicTest T1039 -TestNumbers 1

Cleanup:#

del \\127.0.0.1\C$\Windows\temp\Easter_Bunny.password
del %TEMP%\Easter_egg.password```

Invoke-AtomicTest T1039 -TestNumbers 1 -Cleanup

Atomic Test #2 - Copy a sensitive File over Administrative share with Powershell#

Copy from sensitive File from the c$ of another LAN computer with powershell https://twitter.com/SBousseaden/status/1211636381086339073 Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with powershell!#

Description: Administrative share must exist on #{remote}#
Check Prereq Commands:#
if (Test-Path "\\127.0.0.1\C$") {exit 0} else {exit 1}
Get Prereq Commands:#
Write-Host 'Please Enable "C$" share on 127.0.0.1'
Description: “\#{remote}\C$#{share_file}” must exist on #{remote}#
Check Prereq Commands:#
if (Test-Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password") {exit 0} else {exit 1}
Get Prereq Commands:#
Out-File -FilePath "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password"

Invoke-AtomicTest T1039 -TestNumbers 2 -GetPreReqs

Attack Commands: Run with powershell#

copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"```

Invoke-AtomicTest T1039 -TestNumbers 2

Cleanup:#

Remove-Item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password"
Remove-Item -Path "$Env:TEMP\Easter_egg.password"```

Invoke-AtomicTest T1039 -TestNumbers 2 -Cleanup

Detection#

Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Shield Active Defense#

Pocket Litter#

Place data on a system to reinforce the legitimacy of the system or user.

Pocket Litter is data placed on a system to convince an adversary that the system and users are real. Pocket litter includes documents, registry entries, log history, browsing history, connection history, and other user data that one would expect to exist on a user’s computer. This content may overlap with Decoy Content, however Pocket Litter covers aspects beyond just content (e.g.: Installed Applications, source code, clutter on a system, etc.).

Opportunity#

In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary’s behaviors, test their interest in specific topics, or add legitimacy to a system or environment.

Use Case#

A defender can stage a variety of pocket litter files on an attached storage space. This data may include topics that align to a persona, topics an adversary is interested in, etc.

Procedures#

When staging a decoy system and user account, populate a user’s folders and web history to make it look realistic to an adversary. Stage a USB device with documents on a specific topic in order to see if they are exfiltrated by an adversary.

Contents