Skip to content

DET0182 Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS

Item Value
ID DET0182
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1135 (Network Share Discovery)

Analytics

Windows

AN0513

Process or script enumerates network shares via CLI (net view/net share, PowerShell Get-SmbShare/WMI) or OS APIs (NetShareEnum/ srvsvc.NetShareEnumAll RPC) → bursts of outbound SMB/RPC connections (445/139, \host\IPC$ / srvsvc) to many hosts inside a short window → optional follow-on file listing or copy operations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Named Pipe Metadata (DC0048) WinEventLog:Sysmon EventCode=17
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
OS API Execution (DC0021) etw:Microsoft-Windows-RPC rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes
Mutable Elements
Field Description
BurstHostThreshold Minimum number of unique destination hosts over SMB within TimeWindow to treat as scanning (e.g., ≥5).
TimeWindow Correlation window between the discovery process start and SMB fan-out (default 10m).
AllowedDiscoveryAccounts Service/admin accounts legitimately running inventory scripts.
PipeNameAllowList Pipes (e.g., \PIPE\spoolss) normally accessed by management agents; exclude from alerts.

Linux

AN0514

CLI tools (smbclient -L, smbmap, rpcclient, nmblookup) or custom scripts enumerate SMB shares on many internal hosts → corresponding SMB connections (445/139) captured by Zeek/Netflow within a short window.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb
Network Connection Creation (DC0082) NSM:Flow connection: TCP connections to ports 139/445 to multiple hosts
OS API Execution (DC0021) NSM:Flow smb_command: TreeConnectAndX to \*\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares
Mutable Elements
Field Description
BurstHostThreshold Minimum unique hosts to flag (e.g., ≥5).
TimeWindow Correlation window between tool exec and SMB fan-out (default 10m).
ApprovedInventoryHosts IPs of vulnerability scanners or config mgmt systems.

macOS

AN0515

Use of native/mac tools (sharing -l, smbutil view, mount_smbfs) or scripts to enumerate SMB shares across many hosts, followed by outbound SMB connections observed in PF/Zeek logs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of “sharing -l”, “smbutil view”, “mount_smbfs”
Command Execution (DC0064) macos:unifiedlog Command line contains smbutil view //, mount_smbfs //
Network Traffic Flow (DC0078) NSM:Firewall Outbound connections to 139/445 to multiple destinations
Network Connection Creation (DC0082) NSM:Flow connection: SMB connections to multiple internal hosts
Mutable Elements
Field Description
BurstHostThreshold Minimum unique SMB destinations (e.g., ≥3–5 in smaller mac fleets).
TimeWindow Correlation window between exec and SMB connections (default 10m).
AllowedMgmtTools Jamf/IT scripts legitimately running smbutil/mount_smbfs.