Skip to content

DC0102 Network Share Access

Item Value
ID DC0102
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
m365:unified FileUploaded, FileAccessed
Network Share None
NSM:Flow smb_files.log
WinEventLog:Microsoft-Windows-SMBClient/Security EventCode=31001
WinEventLog:Microsoft-Windows-SMBServer Access to SYSVOL share from non-admin user or unusual endpoints
WinEventLog:Security EventCode=5140
WinEventLog:Security EventCode=5145

Detection Strategy

ID Name Technique Detected
DET0413 Abuse of Information Repositories for Data Collection T1213
DET0381 Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL T1552.006
DET0367 Detect Network Logon Script Abuse via Multi-Event Correlation on Windows T1037.003
DET0549 Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms T1552.004
DET0754 Detection of Data from Information Repositories T0811
DET0745 Detection of Lateral Tool Transfer T0867
DET0071 Detection of Remote Data Staging Prior to Exfiltration T1074.002
DET0804 Detection of Remote Services T0886
DET0471 Detection of Tainted Content Written to Shared Storage T1080
DET0410 Detection Strategy for Data from Network Shared Drive T1039
DET0183 Detection Strategy for Lateral Tool Transfer across OS platforms T1570
DET0476 Email Collection via Local Email Access and Auto-Forwarding Behavior T1114