T1021.002: SMB/Windows Admin Shares
| View on MITRE ATT&CK | T1021.002 |
|---|---|
| Tactic(s) | Lateral Movement |
| Associated CAPEC Patterns | Windows Admin Shares with Stolen Credentials (CAPEC-561) |
Data from MITRE ATT&CK®:
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Investigating New INC Ransom Group Activity
This blog post from huntress discusses the ransomware group known as 'INC', breaking down the stages of an attack day by day. The Huntress team ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs
This cybersecurity advisory from the U.S. Federal Bureau of Investigation (FBI) and its partners, highlights the cyber espionage activities of the ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Password Policies
Set and enforce secure password policies for accounts.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Share Access (Network Share)
Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Logon Session Creation (Logon Session)
Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
HackTool - SharpMove Tool Execution
Suspicious PsExec Execution - Zeek
Wmiprvse Wbemcomn DLL Hijack
Potential CobaltStrike Service Installations - Registry
Windows Internet Hosted WebDav Share Mount Via Net.EXE
Potential DCOM InternetExplorer.Application DLL Hijack
Copy From Or To Admin Share Or Sysvol Folder
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
First Time Seen Remote Named Pipe
SMB Create Remote File Admin Share
smbexec.py Service Installation
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
PUA - RemCom Default Named Pipe
Impacket PsExec Execution
First Time Seen Remote Named Pipe - Zeek
Password Provided In Command Line Of Net.EXE
Remote Service Activity via SVCCTL Named Pipe
Rundll32 UNC Path Execution
Rundll32 Execution Without Parameters
Suspicious PsExec Execution
Wmiprvse Wbemcomn DLL Hijack - File
CobaltStrike Service Installations - Security
CobaltStrike Service Installations - System
Windows Share Mount Via Net.EXE
Metasploit Or Impacket Service Installation Via SMB PsExec
Protected Storage Service Access
DCERPC SMB Spoolss Named Pipe
PUA - CSExec Default Named Pipe
Access To ADMIN$ Network Share
Windows Admin Share Mount Via Net.EXE
Metasploit SMB Authentication
Suspicious New-PSDrive to Admin Share
SMB Spoolss Name Piped Usage
T1047 Wmiprvse Wbemcomn DLL Hijack
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.