Skip to content

DET0410 Detection Strategy for Data from Network Shared Drive

Item Value
ID DET0410
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1039 (Data from Network Shared Drive)

Analytics

Windows

AN1145

Monitoring of file access to network shares (e.g., C$, Admin$) followed by unusual read or copy operations by processes not typically associated with such activity (e.g., PowerShell, certutil).

Log Sources
Data Component Name Channel
Network Share Access (DC0102) WinEventLog:Security EventCode=5145
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
ShareName Organizations may use custom share paths outside of default C$, Admin$, etc.
ProcessName Common toolsets vary; defenders should tailor to unusual processes for their environment.
TimeWindow Time of day and access duration may need to be tuned to reduce false positives.

Linux

AN1146

Unusual access or copying of files from mounted network drives (e.g., NFS, CIFS/SMB) by user shells or scripts followed by large data transfer.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL open,read
Drive Access (DC0054) linux:syslog mount/umount or file copy logs
Mutable Elements
Field Description
MountPoint Organization-specific share mount paths may vary (/mnt/share1, /srv/data etc.)
UID May need to scope to service accounts or user ID patterns specific to enterprise policy.

macOS

AN1147

Detection of file access from mounted SMB shares followed by copy or exfil commands from Terminal or script interpreter processes.

Log Sources
Data Component Name Channel
File Access (DC0055) macos:unifiedlog filesystem and process events
Drive Access (DC0054) fs:fsusage open/read/mount operations
Mutable Elements
Field Description
ProcessPath Script interpreters may vary (e.g., zsh, bash, python, osascript).
SharePath Network drive mount points may differ across enterprises.