AN0513: Analytic 0513
Process or script enumerates network shares via CLI (net view/net share, PowerShell Get-SmbShare/WMI) or OS APIs (NetShareEnum/ srvsvc.NetShareEnumAll RPC) → bursts of outbound SMB/RPC connections (445/139, \\host\IPC$ / srvsvc) to many hosts inside a short window → optional follow-on file listing or copy operations.
Analyst context for executives and security teams
This analytic matters because rapid network share enumeration on Windows can reveal where sensitive files, administrative shares, and reachable systems are located. For leaders, the value is not just detecting a command or API call; it is validating whether the organization can see unusual internal SMB/RPC scanning behavior before it turns into broad file access or copy activity.
Executive priority
Prioritize this as a resilience and evidence question: can the SOC prove it can identify a Windows host suddenly querying many internal shares over SMB/RPC, and can incident responders quickly determine whether follow-on file listing or copy activity occurred? Coverage depends on endpoint, network, and file-access telemetry being available and correlated; without that, investigations may miss early signs of internal discovery involving shared data locations.
Technical view
The supplied analytic describes Windows processes or scripts enumerating network shares via CLI, PowerShell/WMI, or OS/RPC APIs, followed by bursts of outbound SMB/RPC connections to many hosts in a short window and possible file listing or copy operations. Detection engineering should validate host-side process/script visibility, outbound connection patterns to TCP 445/139, IPC$ or srvsvc-related activity, and subsequent file access behavior. No official detection logic or ATT&CK tactic mapping is supplied, so local baselining is required.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell execution and script block or module activity where available
- WMI activity related to SMB share queries
- Endpoint network connection telemetry for outbound SMB/RPC to TCP 445/139
- Network flow or firewall logs showing short-window connections to many internal hosts
Detection direction
- Baseline legitimate administrative share enumeration from IT tools, backup systems, vulnerability scanners, and asset inventory platforms to reduce false positives.
- Look for a single Windows host making bursts of SMB/RPC connections to many internal hosts within a short time window, especially when paired with share enumeration process or script activity.
- Correlate enumeration with follow-on directory listing, file reads, or copy operations to increase investigative priority.
- Validate visibility into both command-based enumeration and API/RPC-based enumeration, since process names alone may miss OS API or srvsvc activity.
- Account for blind spots where endpoint logging is incomplete, east-west network flow is not collected, or SMB activity is encrypted or aggregated without host-level detail.
Mitigation priorities
- Confirm least-privilege access to network shares and remove unnecessary broad read access.
- Harden and monitor administrative shares and sensitive file repositories.
- Limit unnecessary SMB/RPC exposure between workstation segments where business operations allow.
- Ensure approved administrative tools and scanners are documented so SOC detections can distinguish expected enumeration from suspicious bursts.
- Prepare IR playbooks to triage the source host, queried destinations, accessed shares, and any follow-on file copy activity.
Analyst notes and limits
This is a detection analytic object, not a technique object. The supplied fields identify Windows as the platform and describe network share enumeration behavior, but provide no official detection implementation, tactic, labels, aliases, or relationship context. Treat this as a coverage-validation prompt for managed detection, incident response readiness, identity/access review for shared data, and network segmentation evidence.
No official detection text, relationship context, tactic mapping, or active exploitation context was supplied. Any severity, allowlist, threshold, or business impact assessment must be based on local environment baselines, share sensitivity, and confirmed telemetry availability.
Analytic 0513
Process or script enumerates network shares via CLI (net view/net share, PowerShell Get-SmbShare/WMI) or OS APIs (NetShareEnum/ srvsvc.NetShareEnumAll RPC) → bursts of outbound SMB/RPC connections (445/139, \\host\IPC$ / srvsvc) to many hosts inside a short window → optional follow-on file listing or copy operations.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8a86011552e8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0513Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.