Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1039: Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

EnterpriseT1039TechniqueObject v1.5 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Data from Network Shared Drive matters because an attacker who already has access to one system may use that access to look through shared folders and file servers for sensitive documents before exfiltration. For leaders, the key issue is not just malware on an endpoint; it is whether normal business file sharing has become a path to broad data exposure across Windows, macOS, and Linux environments.

Executive priority

Prioritize this technique where shared drives contain regulated, confidential, operational, or executive data. Ask whether access to network shares is least-privilege, whether file access is logged well enough to support incident response and audit evidence, and whether SOC teams can distinguish normal file browsing from unusual collection activity. The relationship context includes ransomware, espionage-oriented groups, and information-stealing software, so this behavior should be treated as relevant to both data-loss readiness and business continuity planning without assuming current exposure.

Technical view

ATT&CK places T1039 in the Collection tactic across Linux, macOS, and Windows. The official description highlights searching accessible network shares from a compromised system, potentially through interactive command shells and common cmd functionality. Because MITRE does not provide official detection text here, defenders should validate coverage around authenticated access to remote shares, command-line enumeration or copying behavior, file server access patterns, and unusual volume or breadth of file reads from a single host or account. The DET0410 relationship indicates a related detection strategy exists, but the supplied fields do not include its logic, so teams should not assume coverage without reviewing their own detections.

Likely telemetry

  • File server and network share access logs
  • Endpoint process creation and command-line telemetry
  • Authentication and session logs for accounts accessing shared drives
  • File read, copy, archive, and staging activity where available
  • Network connections from endpoints to file servers or shared directories

Detection direction

  • Baseline normal shared-drive access by user, host, department, and file server, then look for unusual breadth, volume, timing, or access from atypical endpoints.
  • Correlate process execution on compromised or suspicious hosts with subsequent access to network shares, especially command shells or common system utilities used to enumerate or copy files.
  • Tune detections to reduce false positives from backup jobs, indexing, administrative maintenance, eDiscovery, and legitimate bulk file operations.
  • Validate visibility across Windows, macOS, and Linux clients rather than assuming file-share monitoring is Windows-only.
  • Use the related DET0410 detection strategy as a pointer for further engineering review, but confirm actual local telemetry, rule logic, and alert quality.

Mitigation priorities

  • Reduce unnecessary access to shared drives through least-privilege permissions and periodic access reviews.
  • Separate sensitive repositories from broadly accessible shares and require stronger controls for high-value data locations.
  • Ensure file server auditing and endpoint telemetry are enabled before an incident so responders can reconstruct what was accessed.
  • Monitor for abnormal collection patterns and integrate file-share activity into managed detection or SOC workflows.
  • Use tabletop or incident response readiness exercises to confirm escalation paths when suspicious shared-drive access may indicate pre-exfiltration collection.
Analyst notes and limits

This object is a collection technique, not an initial access or exfiltration technique. Its materiality depends heavily on local file-share design, identity permissions, logging, and the sensitivity of data stored on shared drives. Relationship context shows use by multiple ATT&CK groups, software entries, and one campaign, including ransomware and espionage-related examples, but those relationships should be used for prioritization and threat-informed defense rather than attribution in a local incident.

MITRE provides no official detection text for this technique in the supplied fields. The related detection strategy is named but not detailed. No environment-specific share architecture, identity model, logging configuration, or data classification is supplied, so detection and mitigation priorities require local validation.

Official MITRE ATT&CK definition

Data from Network Shared Drive

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G1039: RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Group Enterprise

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Group Enterprise

G0054: Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

Group Enterprise

G0114: Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Group Enterprise

G0117: Fox Kitten

Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]

Malware Enterprise

S0554: Egregor

Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between Egregor and Sekhmet ransomware, as well as Maze ransomware.[1][2][3]

Windows
Malware Enterprise

S0458: Ramsay

Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between Ramsay and the Darkhotel-associated Retro malware.[1][2]

Windows
Malware Enterprise

S0128: BADNEWS

BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

Windows
Campaign Enterprise

C0015: C0015

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]

Relationship explorer

All related ATT&CK context

uses · Group G1039: RedCurl Enterprise uses · Malware S0050: CosmicDuke Enterprise uses · Group G0007: APT28 Enterprise uses · Group G0047: Gamaredon Group Enterprise uses · Group G0060: BRONZE BUTLER Enterprise uses · Malware S0554: Egregor Enterprise uses · Group G0054: Sowbug Enterprise uses · Malware S0458: Ramsay Enterprise uses · Malware S0128: BADNEWS Enterprise detects · Detection Strategy DET0410: Detection Strategy for Data from Network Shared Drive Enterprise uses · Group G0114: Chimera Enterprise uses · Group G0045: menuPass Enterprise uses · Campaign C0015: C0015 Enterprise uses · Group G0117: Fox Kitten Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.5
Created
Modified
Raw hash
d61f0f270755515f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.5 Current bundle d61f0f270755…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T1039
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use