Malware can spread east-west using share drive

Hunt Hypothesis

Malware may spread within a network by leveraging shared drives to move laterally between hosts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and contain potential east-west lateral movement before it escalates.

YARA Rule

rule spreading_share {
    meta:
        author = "x0r"
        description = "Malware can spread east-west using share drive"
        version = "0.1"
    strings:
        $f1 = "netapi32.dll" nocase
        $c1 = "NetShareGetInfo"
        $c2 = "NetShareEnum"
    condition:
        $f1 and 1 of ($c*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled backup job using SMB shares
  Description: A legitimate scheduled backup job is copying data from one server to another via SMB share.
  Filter/Exclusion: process.name != "robocopy.exe" || process.name != "rsync.exe" || process.name != "backup.exe"

• Scenario: Administrative task to share a folder for collaboration
  Description: An admin shares a folder with another department for file collaboration, which triggers the rule due to SMB activity.
  Filter/Exclusion: process.name != "net.exe" || process.name != "netsh.exe" || process.name != "icacls.exe"

• Scenario: Remote PowerShell script execution via share
  Description: A PowerShell script is executed remotely from a shared drive as part of a legitimate system management task.
  Filter/Exclusion: process.name != "powershell.exe" || process.name != "pwsh.exe" || process.name != "mshta.exe"

• Scenario: Log file transfer between servers for centralized logging
  Description: Log files are being transferred between servers using a shared drive for centralized logging and monitoring.
  Filter/Exclusion: process.name != "logrotate.exe" || process.name != "rsyslogd.exe" || process.name != "syslog-ng.exe"

• Scenario: User-initiated file transfer via shared drive
  Description: A user manually transfers files between workstations using a shared drive for file sharing.
  Filter/Exclusion: process.name != "explorer.exe" || process.name != "cmd.exe" || process.name != "powershell.exe" && user != "admin_user"