Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1039 | Data from Network Shared Drive |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may search host shared directories between a VM and host device to find files of interest. Hypervisor hardening can restrict or limit the ability to share files between the virtualized machine and host system, making it harder for attackers to collect data from host shared directories.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1039 | Data from Network Shared Drive | |
| attribute.confidentiality.data_disclosure | None | related-to | T1039 | Data from Network Shared Drive |