Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0182: Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS

DET0182 is a MITRE detection strategy for behavior-chain detection of Network Share Discovery, a discovery behavior where an adversary looks for shared fol...

EnterpriseDET0182Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0182 is a MITRE detection strategy for behavior-chain detection of Network Share Discovery, a discovery behavior where an adversary looks for shared folders and drives on remote systems. For leaders, this matters because share enumeration can reveal where sensitive data lives and which systems may be useful for later collection or lateral movement. The ATT&CK object itself is sparse, so teams should treat it as a prompt to validate real telemetry and detection logic rather than as proof of existing coverage.

Executive priority

Prioritize this as an operational resilience and data exposure question: can the organization see when users, hosts, or processes enumerate network shares across Windows, Linux, and macOS environments, and can the SOC distinguish normal administration from suspicious discovery? This is also useful audit evidence for identity, endpoint, and network monitoring maturity, especially where shared drives support business-critical workflows.

Technical view

The detection strategy is linked to ATT&CK technique T1135 Network Share Discovery under the Discovery tactic and related platforms Linux, macOS, and Windows. SOC and detection engineering teams should validate behavior-chain logic that correlates share enumeration activity with surrounding context such as process execution, user identity, source host, destination systems, authentication events, and subsequent access to discovered shares. Because no official detection text is supplied for DET0182, local implementation should be based on observed enterprise baselines and the related T1135 behavior rather than copied from this object.

Likely telemetry

  • Endpoint process execution and command-line telemetry for utilities or scripts that enumerate network shares
  • EDR or host telemetry showing parent-child process context around discovery activity
  • Network connection telemetry from source hosts to file-sharing services, including SMB where applicable on Windows networks
  • File share and server audit logs showing share listing, access attempts, and remote enumeration patterns
  • Authentication logs tying share discovery activity to user, service account, or host identity

Detection direction

  • Validate that monitoring covers the related platforms identified by ATT&CK: Windows, Linux, and macOS; do not assume parity across operating systems.
  • Tune behavior-chain detections around sequences, not single events: share enumeration followed by broad access attempts, unusual destination breadth, atypical user context, or activity from non-administrative endpoints is generally more decision-useful than one command alone.
  • Baseline legitimate administrative, backup, inventory, and helpdesk activity to reduce false positives, since network share discovery can be normal in managed environments.
  • Check blind spots where endpoint logging is weak, file server auditing is disabled, command-line capture is incomplete, or network telemetry cannot identify the initiating user or process.
  • Use the T1135 relationship to review detections in the context of possible precursors to Collection and Lateral Movement, while avoiding unsupported assumptions about intent from discovery activity alone.

Mitigation priorities

  • Establish least-privilege access to shared folders and drives so discovery does not expose unnecessary data paths.
  • Harden and audit file-sharing configurations, especially broadly accessible shares and sensitive business repositories.
  • Ensure endpoint, identity, and file server logging are enabled and retained long enough to support SOC triage and incident response.
  • Document approved administrative share-enumeration tools and expected service accounts to support detection tuning and audit readiness.
  • Regularly review share permissions and ownership as part of vulnerability management, identity governance, and compliance evidence collection.
Analyst notes and limits

This take is based on the DET0182 detection strategy metadata and its relationship to T1135 Network Share Discovery. The object name indicates behavior-chain detection across Windows, Linux, and macOS, but the official description, platforms, tactics, and detection fields for the detection strategy are not provided. The related technique supplies the Discovery tactic, supported platforms, and the business-relevant context that network shares may identify information sources and systems of interest.

No official DET0182 detection logic, data sources, analytics, or platform field is supplied. Telemetry and control recommendations therefore require local validation and should not be interpreted as guaranteed detection coverage or evidence of active exploitation.

Official MITRE ATT&CK definition

Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1135 Network Share Discovery This object detects Network Share Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1135: Network Share Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
41608266a7db2c9a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 41608266a7db…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0182
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use