A user accessed an abnormal number of remote shared folders

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

Identity Threat Module

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Network Shared Drive (T1039)

Severity

Informational

Description

A user accessed an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.

Attacker's Goals

Collect valuable data about the organization for exfiltration purposes.

Investigative actions

  • Check for other suspicious activity made by the user at the time of the event.
  • Inspect the shared folder and verify if the user should have accessed to that folder.
  • Go over the list of files and check if such user should have access to those files.

Variations

A user accessed an abnormal number of remote shared folders for the first time

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Network Shared Drive (T1039)

Severity

Low

Description

A user accessed for the first time to an abnormal number of remote shared folders. This might indicate an attempt to collect data before exfiltration.

Attacker's Goals

Collect valuable data about the organization for exfiltration purposes.

Investigative actions

  • Check for other suspicious activity made by the user at the time of the event.
  • Inspect the shared folder and verify if the user should have accessed to that folder.
  • Go over the list of files and check if such user should have access to those files.