AN1146: Analytic 1146
Unusual access or copying of files from mounted network drives (e.g., NFS, CIFS/SMB) by user shells or scripts followed by large data transfer.
Analyst context for executives and security teams
This analytic matters because mounted network drives on Linux systems can concentrate sensitive business data in places that look like normal file access. Unusual copying from NFS or CIFS/SMB mounts by user shells or scripts, followed by large data transfer, is a practical warning pattern for possible data staging or unauthorized movement of shared files. For leaders, the value is not just detecting one command; it is validating whether the organization can see abnormal use of shared storage before it becomes an incident-response, legal, or continuity problem.
Executive priority
Prioritize this as a control-validation item for environments where Linux hosts access shared file stores. Security leaders should ask whether SOC and incident response teams can identify who accessed mounted network shares, from which host, by which shell or script, and whether the activity was followed by unusually large transfer volume. This supports resilience, audit evidence, and incident decision-making around sensitive shared data, but local business context is required to define what “unusual” and “large” mean.
Technical view
ATT&CK provides this as a Linux detection analytic: unusual access or copying of files from mounted network drives such as NFS or CIFS/SMB by user shells or scripts followed by large data transfer. SOC and detection engineering teams should validate visibility across Linux process execution, mounted filesystem access, user context, script execution, and network transfer volume. Because no ATT&CK detection logic is supplied, teams should build environment-specific baselines for normal shared-drive access and transfer behavior, then investigate deviations involving shell or scripted copy activity.
Likely telemetry
- Linux process execution events for shells, scripts, and file-copy utilities
- User and account context for interactive and scripted activity
- Mounted filesystem information, including NFS and CIFS/SMB mount points
- File access or file copy activity on mounted network drives where available
- Network flow or transfer-volume telemetry from Linux hosts
Detection direction
- Validate that Linux hosts accessing NFS or CIFS/SMB mounts are included in monitoring scope.
- Correlate shell or script-driven file access on mounted network drives with subsequent large outbound or lateral data transfer volume.
- Tune baselines by user, host, mount point, business process, and time window to reduce false positives from backups, data processing jobs, migrations, and administrative scripts.
- Confirm whether file-level visibility exists on network-mounted paths; endpoint tools may not capture remote filesystem activity consistently.
- Use relationship-driven enrichment only from local sources, because no ATT&CK relationships were supplied for this analytic.
Mitigation priorities
- Inventory Linux systems with mounted NFS or CIFS/SMB shares and identify sensitive shared-data locations.
- Restrict shared-drive permissions to required users, services, and hosts; review script and service account access separately.
- Ensure logging and retention cover process activity, mount usage, user context, and network transfer volume for relevant Linux hosts.
- Define approved high-volume data movement workflows so the SOC can distinguish expected operations from anomalous copying.
- Prepare incident-response playbooks for suspicious shared-drive access, including user validation, host containment decisions, and evidence preservation.
Analyst notes and limits
The supplied object is a detection analytic, not a technique, and has no tactic or relationship context. The strongest use is as a coverage and readiness check for Linux shared-storage monitoring. The analytic is especially decision-relevant where business-critical or regulated data resides on mounted network drives, but sensitivity and normal transfer patterns must be determined locally.
Official detection logic was not provided, and no relationships, mitigations, tactics, or procedure examples were supplied. This take therefore does not infer adversary intent, active exploitation, attribution, impact, or guaranteed detection coverage. Applicability is limited to the supplied platform: Linux.
Analytic 1146
Unusual access or copying of files from mounted network drives (e.g., NFS, CIFS/SMB) by user shells or scripts followed by large data transfer.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 08b69bb7b53f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1146Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.