Description
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Privileged Account ManagementM1026
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.
Limit Access to Resource Over NetworkM1035
Consider disabling Windows administrative shares.
Filter Network TrafficM1037
Consider using the host firewall to restrict file sharing communications such as SMB. (Citation: Microsoft Preventing SMB)
Password PoliciesM1027
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
Threat Groups (27)
| ID | Group | Context |
|---|---|---|
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has used batch scripts that can enable SMB on a compromised host.(Citation: Checkpoint MosesStaff... |
| G0028 | Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors mapped network drives using <code>net use</code>.(Citation: Dell TG-1314) |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) used remote shares to enable lateral movement in victim environments.(Citation: Crowdstrike Hun... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, t... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) actors have been known to copy files to the network shares of other computers to move laterally.(Cit... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) used <code>net use</code> commands to connect to lateral systems within a network.(Citation: Kaspersky ... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has leveraged SMB to move laterally within a compromised network via application servers and SQL server... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC ... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September ... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used [Cobalt Strike](https://attack.mitre.org/software/S0154) to move laterally via SMB.(Citation: T... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has copied payloads to the `ADMIN$` share of remote systems and run <code>net use</code> to con... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used locally mounted network shares for lateral movement through targated environments.(Citation... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symant... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. [... |
| G0108 | Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citatio... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) used [Net](https://attack.mitre.org/software/S0039) to use Windows' hidden network shares to copy their... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has used SMBexec for lateral movement.(Citation: Sygnia Emperor Dragonfly October 2022) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used SMB to copy malware between systems in compromised environments.(Citation: Trend Micro Ea... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomw... |
Associated Software (30)
| ID | Name | Type | Context |
|---|---|---|---|
| S0575 | Conti | Malware | [Conti](https://attack.mitre.org/software/S0575) can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on ... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has leveraged the Admin$, C$, and IPC$ shares for lateral movement. (Citation: Malwarebytes Emotet D... |
| S0350 | zwShell | Malware | [zwShell](https://attack.mitre.org/software/S0350) has been copied over network shares to move laterally.(Citation: McAfee Night Dragon) |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) has used the C$ network share for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) |
| S0029 | PsExec | Tool | [PsExec](https://attack.mitre.org/software/S0029), a tool that has been used by adversaries, writes programs to the <code>ADMIN$</code> network share ... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) accesses network share(s), enables share access to the target device, copies an executable payload ... |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) can use SMB to connect to move laterally.(Citation: Cybereason Royal December 2022) |
| S0368 | NotPetya | Malware | [NotPetya](https://attack.mitre.org/software/S0368) can use [PsExec](https://attack.mitre.org/software/S0029), which interacts with the <code>ADMIN$</... |
| S0659 | Diavol | Malware | [Diavol](https://attack.mitre.org/software/S0659) can spread throughout a network via SMB prior to encryption.(Citation: Fortinet Diavol July 2021) |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has run a plug-in on a victim to spread through the local network by using [PsExec](https://att... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can embed a copy of [PsExec](https://attack.mitre.org/software/S0029) within its payload and place it... |
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) has the ability to use SMB to pivot in compromised networks.(Citation: Palo Alto Brute Ratel... |
| S0672 | Zox | Malware | [Zox](https://attack.mitre.org/software/S0672) has the ability to use SMB for communication.(Citation: Novetta-Axiom) |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can use credentials provided in its configuration to move laterally from the infected machine ove... |
| S0608 | Conficker | Malware | [Conficker](https://attack.mitre.org/software/S0608) variants spread through NetBIOS share propagation.(Citation: SANS Conficker) |
| S0038 | Duqu | Malware | Adversaries can instruct [Duqu](https://attack.mitre.org/software/S0038) to spread laterally by copying itself to shares it has enumerated and for whi... |
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) copies itself over network shares to move laterally on a victim network.(Citation: Symantec Orange... |
| S0039 | Net | Tool | Lateral movement can be done with [Net](https://attack.mitre.org/software/S0039) through <code>net use</code> commands to connect to the on remote sys... |
| S0019 | Regin | Malware | The [Regin](https://attack.mitre.org/software/S0019) malware platform can use Windows admin shares to move laterally.(Citation: Kaspersky Regin) |
References
- French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.
- Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
- Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.
- Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.
- Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.
- Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.
Frequently Asked Questions
What is T1021.002 (SMB/Windows Admin Shares)?
T1021.002 is a MITRE ATT&CK technique named 'SMB/Windows Admin Shares'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the...
How can T1021.002 be detected?
Detection of T1021.002 (SMB/Windows Admin Shares) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.002?
There are 4 documented mitigations for T1021.002. Key mitigations include: Privileged Account Management, Limit Access to Resource Over Network, Filter Network Traffic, Password Policies.
Which threat groups use T1021.002?
Known threat groups using T1021.002 include: Moses Staff, Threat Group-1314, Aquatic Panda, Wizard Spider, APT41, Ke3chang, Turla, FIN13.