heroui logo

PowerHuntShares Commands

Anvilogic Forge

View Source
Summary
The PowerHuntShares Commands detection rule aims to identify potentially malicious activity where adversaries utilize PowerShell commands to discover network shares, accounts, and remote systems within a compromised environment. This behavior is often an initial step in reconnaissance, where attackers gather information on shared folders, valid accounts, and system identifiers that could be leveraged for lateral movement or further exploitation, such as account takeovers, brute-force attacks, or phishing. It specifically looks for PowerShell commands related to network discovery, including `Invoke-HuntSMBShares`, which helps attackers identify accessible network shares. The detection rule captures relevant data using Splunk queries based on Windows event logs and process command-line parameters, thereby providing visibility into such potentially harmful activities during an attacker's reconnaissance phase.
Categories
  • Windows
  • Network
  • Cloud
Data Sources
  • Process
  • Windows Registry
  • Application Log
ATT&CK Techniques
  • T1135
  • T1087
  • T1018
Created: 2024-02-09