From b7abc47a5c66dc0be383fff649268e99dcc9af6e Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sun, 6 Apr 2025 11:43:44 +0000
Subject: [PATCH] page(threat-hunting): New Network Share detected

---
 source/threat-hunting/index.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 917fcea..7f899e0 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -1024,6 +1024,17 @@ SPL:
 | table Time, index, host, Domain, user, EventCode, LogonType, LogonTitle, LogonResult, source_ip, Destination, subject_user, Name, AccountDescription
 ```
 
+## New Network Share detected
+
+Description: Requires additional data model [mapping](https://gitlab.com/curben/splunk-scripts/-/commit/cc3e156a75519dbb3a23e0fb833c87b46c0b9409).
+References: [1](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#impact)
+SPL:
+
+```spl
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Filesystem WHERE index="windows" Filesystem.signature_id=5142 BY index, host, Filesystem.file_target, Filesystem.file_name, Filesystem.file_path, Filesystem.signature_id, Filesystem.signature, Filesystem.src, Filesystem.user, _time span=1s
+| rename Filesystem.* AS *, signature_id AS EventCode, signature AS EventDescription, file_name AS ShareName, file_path AS ShareLocalPath, file_target AS RelativeTargetName
+```
+
 ## OneNote IOC
 
 References: [1](https://redcanary.com/blog/intelligence-insights-february-2023/)