T1039: T1039

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1039
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Data from Network Shared Drive

Platforms

windows macos linux

Description

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.

Kill chain phases

Kill chain	Phase
mitre-attack	collection

Marking (TLP)

External references

mitre-attack (T1039)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (21)

Fox Kitten uses UNC757Parisite

The MITRE Corporation Confidence 100

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BRONZE BUTLER uses REDBALDKNIGHTTick

The MITRE Corporation Confidence 100

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RedCurl uses

The MITRE Corporation Confidence 100

[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera uses

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Threat Group-3390 uses Earth SmilodonTG-3390

The MITRE Corporation Confidence 100

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Locky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT28 uses IRON TWILIGHTSNAKEMACKEREL

The MITRE Corporation Confidence 100

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FakeTicketer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Slow Pisces uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Runningcrab uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 21

IcedID - S0483 uses

Family
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackCat uses
Atharvan uses

Family
ELF Backdoor uses

Family
Zagrebator.Stealer uses

Family
PlugX - S0013 uses

Family
Preft uses

Family
Mimikatz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Goat RAT uses

Family
KaosRAT uses

Family
RagnarLocker uses

Family

← Previous

Page / 7

1–12 of 80

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT
Leveling Up with NightSpire Ransomware related

16 MITREs 1 Malware 2 Observables 1 APT
New Malware Targets Users of Cobra DocGuard Software related

20 MITREs 3 Malwares 7 Observables 1 APT
The Anatomy of Abyss Locker Ransomware Attack related

23 MITREs 1 Malware 15 Observables
The ticket that doesn't exist: a new threat … related

20 MITREs 3 Malwares 1 APT
Nitrogen Campaign Drops Sliver and Ends With BlackCat … related

32 MITREs 6 Malwares 45 Observables
MirrorFace Attack against Japanese Organisations related

1 CVE 21 MITREs 2 Malwares 27 Observables 1 APT
Introducing Gh0stGambit: A Dropper for Deploying Gh0st RAT related

1 CVE 20 MITREs 3 Malwares 6 Observables
North Korea Cyber Group Conducts Global Espionage Campaign … related

21 MITREs 22 Malwares 60 Observables 1 APT
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load … related

23 MITREs 5 Observables 1 APT

← Previous

Page / 2

1–12 of 14

Vulnerabilities (CVE) (6)

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2026-35616 KEV targets

9.8 Critical

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …

Attack vector: NETWORK
Complexity: LOW
Published: 04/04/2026
Modified: 09/04/2026

CWE-284 Received

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2026-25089 targets

9.8 Critical

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox …

Published: 09/06/2026
Modified: 09/06/2026

Awaiting Analysis

CVE-2024-5806 targets

9.1 Critical

Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass in limited scenarios.This issue affects MOVEit Transfer: from …

Attack vector: NETWORK
Published: 25/06/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-0257 KEV targets

4.7 Medium

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …

Attack vector: NETWORK
Complexity: LOW
Published: 13/05/2026
Modified: 10/06/2026

CWE-565 Awaiting Analysis

Campaign (1)

C0015 uses

Contact About Legal notice Privacy policy Terms of use

T1039: T1039

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (21)

Malware (80)

Reports (14)

Vulnerabilities (CVE) (6)

Campaign (1)