T1135: T1135

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 14/12/2017 17:46 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1135
Confidence: 100/100
Revoked: No
Published: 14/12/2017 17:46
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

Network Share Discovery

Platforms

windows macos linux

Description

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the `net view \\\\remotesystem` command. It can also be used to query shared drives on the local system using `net share`. For macOS, the `sharing -l` command lists all shared points used for smb services.

Kill chain phases

Kill chain	Phase
mitre-attack	discovery

Marking (TLP)

External references

Wikipedia Shared Resource
TechNet Shared Folder
mitre-attack (T1135)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (53)

Agenda uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Head Mare and Twelve uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vect uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Medusa Group uses

The MITRE Corporation Confidence 100

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Fog Ransomware uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rhantus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 uses ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius uses Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rancoz uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 53

Atera uses

Family
DiscordGo uses

Family
scm.exe uses

Family
ThreatNeedle - S0665 uses

Family
More_eggs - S0284 uses

Family
QuietSieve uses
Sandals uses
Stowaway uses

Family
Medusa Ransomware uses

Family
Volgmer - S0180 uses

Family
XWorm uses

Family
TrojanSpy:Win32/Casbaneiro uses

Family

← Previous

Page / 7

1–12 of 74

Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Ransomware Analysis: Go Binary and Fast Encryption related

AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
ClickFix Evolves with PySoxy Proxying related

20 MITREs 1 Malware 2 Observables
Iran-Linked Hackers Breached Korean Electronics Maker in Global … related

AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
UAT-8302 and its box full of malware related

3 CVEs 20 MITREs 13 Malwares 33 Observables 1 APT
Kyber ransomware is not just post-quantum name-dropping related

AlienVault Confidence 100 15 MITREs 1 Malware 8 IOCs 8 Observables
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
OT-Focused Malware Highlights Emerging Risk to Water Infrastructure … related

19 MITREs 1 Malware 1 Observable
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
AI-augmented threat actor accesses FortiGate devices at scale related

3 CVEs 20 MITREs 2 Malwares 2 Observables
Highly destructive Lotus Wiper used in a targeted … related

19 MITREs 1 Malware

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (64)

CVE-2024-4358 targets

9.8 Critical

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report …

Published: 29/05/2024
Modified: 29/05/2024

Awaiting Analysis

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2021-1732 KEV targets

Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-21974 targets

8.8 High

OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing …

Attack vector: Adjacent
Complexity: Low
Published: 24/02/2021
Modified: 03/06/2026

CWE-787

CVE-2021-27876 KEV targets

Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2021-40539 KEV targets

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-21762 KEV targets

9.8 Critical

Fortinet FortiOS contains an out-of-bound write vulnerability that allows a remote unauthenticated attacker to execute code or commands via specially crafted HTTP …

Attack vector: Network
Published: 09/02/2024
Modified: 21/12/2025

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2021-27877 KEV targets

Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via …

Published: 07/04/2023
Modified: 21/12/2025

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2021-20090 KEV targets

Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-0623 targets

Published: 20/12/2025
Modified: 21/12/2025

← Previous

Page / 6

1–12 of 64

Operation CuckooBees uses
Leviathan Australian Intrusions uses

Tool (1)

Net uses

The MITRE Corporation Confidence 100

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…

Contact About Legal notice Privacy policy Terms of use

T1135: T1135

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (53)

Malware (74)

Reports (50)

Vulnerabilities (CVE) (64)

Campaign (2)

Tool (1)