This is another method commonly used by attackers for performing lateral movement in networks that they have already compromised. The main purpose of this method is to capture most of the data available in a network. File shares are collaboration mechanisms used in many networks. They enable clients to access files stored on the server or on some individual computers. Sometimes, the servers will contain sensitive information such as customer databases, operating procedures, software, template documents, and company secrets. Built-in administrative shares for full hard drives on machines come in handy, as they give access to whoever is on a network to read and write whole hard disks.

File shares give hackers the advantage of low probability of detection since these are legitimate traffic channels that are normally not monitored. A malicious actor will, therefore, have ample time to access, copy, and even edit the contents of any shared media in a network. It is also possible to plant other bugs in the shared environment to infect the computers that copy files. The technique is highly effective when hackers have already gotten access to an account that has elevated privileges. With these privileges, they can access most of the shared data with read and write permissions.

The following are some of the PowerShell commands that can be used in order to do file shares.

The first command will specify the file that is to be shared and the rest of the commands will turn it into a shared folder:

New_Item "D:Secretfile" -typedirectoryNew_SMBShare -Name "Secretfile" -Path "D:Secretfile"-ContinouslyAvailableFullAccess domainadminstratorgroup-changeAccess domaindepartmentusers-ReadAccess "domainauthenticated users"

Another option is to use the PowerShell utility, Nishang (https://github.com/samratashok/nishang). Just as we mentioned previously, you can also use ADS here to hide files, in this case, you can use the Invoke-ADSBackdoor command.