Skip to content

T1021.002 SMB/Windows Admin Shares

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,1 to interact with systems using remote procedure calls (RPCs),2 transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.3

Item Value
ID T1021.002
Sub-techniques T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006
Tactics TA0008
CAPEC ID CAPEC-561
Platforms Windows
Permissions required Administrator, User
Version 1.0
Created 11 February 2020
Last Modified 23 March 2020

Procedure Examples

ID Name Description
S0504 Anchor Anchor can support windows execution via SMB shares.20
G0007 APT28 APT28 has mapped network drives using Net and administrator credentials.46
G0016 APT29 APT29 has used administrative accounts to connect over SMB to targeted users.41
G0022 APT3 APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.40
G0050 APT32 APT32 used Net to use Windows’ hidden network shares to copy their tools to remote machines for execution.37
G0087 APT39 APT39 has used SMB for lateral movement.49
G0096 APT41 APT41 has transferred implant files using Windows Admin Shares.34
S0089 BlackEnergy BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.24
G0108 Blue Mockingbird Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.39
G0114 Chimera Chimera has used Windows admin shares to move laterally.3536
S0154 Cobalt Strike Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.15
S0608 Conficker Conficker variants spread through NetBIOS share propagation.27
S0575 Conti Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.1617
G0009 Deep Panda Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.38
S0659 Diavol Diavol can spread throughout a network via SMB prior to encryption.29
S0038 Duqu Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.13
S0367 Emotet Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. 11
G0061 FIN8 FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.32
G0117 Fox Kitten Fox Kitten has used valid accounts to access SMB shares.52
S0698 HermeticWizard HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.30
G0004 Ke3chang Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.4748
S0236 Kwampirs Kwampirs copies itself over network shares to move laterally on a victim network.31
G0032 Lazarus Group Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.5051
S0532 Lucifer Lucifer can infect victims by brute forcing SMB.14
S0039 Net Lateral movement can be done with Net through net use commands to connect to the on remote systems.8
S0056 Net Crawler Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.10
S0368 NotPetya NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.21229
S0365 Olympic Destroyer Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.199
G0116 Operation Wocao Operation Wocao has used Impacket’s smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.53
G0071 Orangeworm Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.31
S0029 PsExec PsExec, a tool that has been used by adversaries, writes programs to the ADMIN$ network share to execute commands on remote systems.9
S0019 Regin The Regin malware platform can use Windows admin shares to move laterally.18
S0446 Ryuk Ryuk has used the C$ network share for lateral movement.23
G0034 Sandworm Team Sandworm Team has run net use to connect to network shares.44
S0140 Shamoon Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.28
S0603 Stuxnet Stuxnet propagates to available network shares.12
G0028 Threat Group-1314 Threat Group-1314 actors mapped network drives using net use.45
G0010 Turla Turla used net use commands to connect to lateral systems within a network.33
G0102 Wizard Spider Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.4243
S0672 Zox Zox has the ability to use SMB for communication.25
S0350 zwShell zwShell has been copied over network shares to move laterally.26

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic Consider using the host firewall to restrict file sharing communications such as SMB. 7
M1035 Limit Access to Resource Over Network Consider disabling Windows administrative shares.
M1027 Password Policies Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
M1026 Privileged Account Management Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0033 Network Share Network Share Access
DS0029 Network Traffic Network Connection Creation

References

  1. Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017. 

  2. Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016. 

  3. Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014. 

  4. Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016. 

  5. Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. 

  6. French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. 

  7. Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020. 

  8. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. 

  9. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015. 

  10. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  11. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. 

  12. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  13. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. 

  14. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. 

  15. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. 

  16. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. 

  17. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. 

  18. Kaspersky Lab’s Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. 

  19. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. 

  20. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. 

  21. Chiu, A. (2016, June 27). New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Retrieved March 26, 2019. 

  22. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. 

  23. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. 

  24. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. 

  25. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  26. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  27. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  28. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. 

  29. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. 

  30. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. 

  31. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. 

  32. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  33. Kaspersky Lab’s Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. 

  34. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  35. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. 

  36. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  37. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  38. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  39. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. 

  40. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. 

  41. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. 

  42. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  43. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. 

  44. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. 

  45. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. 

  46. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. 

  47. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  48. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  49. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. 

  50. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  51. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  52. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. 

  53. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. 

Back to top