Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Invoke-ShareFinder is a popular tool that makes file share enumeration relatively easy to perform. But an attacker must have network access to the target to run ShareFinder. Enumeration activity typically does not negatively affect network performance, but attackers can leverage this information to find new targets in an attack campaign.
Kill Chain
Risk Score
65
Invoke-ShareFinder is a PowerShell script that is designed to discover and enumerate shared resources across a network. Active Directory (AD) is one of the information sources that is targeted by ShareFinder. ShareFinder leverages network protocols such as LDAP and SMB to retrieve data from domain controllers about computers on the local network. For example, ShareFinder runs different types of LDAP queries to retrieve different collections of data in a domain, such as workstations. Sharefinder then sends an ICMP ping, which confirms the enumerated computers retrieved from the LDAP queries. After retrieving a list of Windows hosts and with access to network shares, ShareFinder attempts to connect to Windows hosts over SMB.
Restrict PowerShell scripts on Windows hosts
Restrict PowerShell scripts by configuring PowerShell execution policies
Limit scripts to AppLocker administrators
