T1021.002 - SMB/Windows Admin Shares

T1021.002 - SMB/Windows Admin Shares#

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

Atomic Tests#

Atomic Test #1 - Map admin shareConnecting To Remote Shares#

Supported Platforms: windows#### Attack Commands: Run with command_prompt

cmd.exe /c "net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator"

Invoke-AtomicTest T1021.002 -TestNumbers 1

Atomic Test #3 - Copy and Execute File with PsExec#

Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.

Supported Platforms: windows

Elevation Required (e.g. root or admin)

Dependencies: Run with `powershell`!#

Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})#

Check Prereq Commands:#

if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}

Get Prereq Commands:#

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force

Invoke-AtomicTest T1021.002 -TestNumbers 3 -GetPreReqs

Attack Commands: Run with `command_prompt`#

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\localhost -accepteula -c C:\Windows\System32\cmd.exe

Invoke-AtomicTest T1021.002 -TestNumbers 3

Detection#

Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)

T1021.002 - SMB/Windows Admin Shares

Contents