From a7a16b34711eb85cac6dc007c505d2c5efec34d2 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Tue, 23 Apr 2024 19:36:34 -0500
Subject: [PATCH] Update T1135.yaml (#2745)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1135/T1135.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml
index a3f58a728d..9553e687e1 100644
--- a/atomics/T1135/T1135.yaml
+++ b/atomics/T1135/T1135.yaml
@@ -181,3 +181,31 @@ atomic_tests:
       dir \\#{computer_ip}\admin$
       dir \\#{computer_ip}\IPC$
     name: command_prompt
+- name: Enumerate All Network Shares with SharpShares
+  description: |
+    SharpShares is a command line tool that can be integrated with Cobalt Strike's execute-assembly module, allowing for the enumeration of network shares. 
+    This technique has been utilized by various ransomware groups, including BianLian.
+    [Reference](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a)
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: File to output enumeration results to
+      type: String
+      default: '$env:temp\T1135SharpSharesOutput.txt'
+    sharp_path:
+      description: Path to the SharpShares executable
+      type: String
+      default: PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe
+  dependency_executor_name: powershell
+  dependencies:
+  - description: The SharpShares executable must exist on disk
+    prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe") {exit 0} else {exit 1}
+    get_prereq_command: |-
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://github.com/mitchmoser/SharpShares/releases/download/v2.4/SharpShares.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpShares.exe"
+  executor:
+    command: cmd /c '#{sharp_path}' /ldap:all | out-file -filepath "#{output_path}"
+    cleanup_command: remove-item "#{output_path}" -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: false