T1021.002: SMB/Windows Admin Shares

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

remote_work: PT-CR-1937: SMB_RPC_Internet_Connection: Network interaction with an internet source via SMB or RPC that can be used by attackers to get initial access mitre_attck_execution: PT-CR-2497: Subrule_Suspicious_RPC_Server: Successful connection to the RPC server mitre_attck_execution: PT-CR-2119: Suspicious_RPC_Server: Possible connection to the Mimikatz RPC server. Attackers can connect to the Mimikatz RPC server on victim's computer to remotely execute commands using the mimikatz.py tool from the Impacket toolkit. mitre_attck_discovery: PT-CR-2547: Subrule_LocalGroupListMembers: A security-enabled local group membership was enumerated from a remote host mitre_attck_discovery: PT-CR-2151: Subrule_Net_Share_Access: A network directory object was accessed. Attackers use network directory objects for lateral movement. mitre_attck_discovery: PT-CR-2150: Net_Tool_Usage: The NET utility was used. Attackers use the NET utility with the "use" parameter for network reconnaissance, accessing network shares, credential checks, and lateral movement. mitre_attck_discovery: PT-CR-2548: LocalGroupListMembers_From_Remote_Host: A security-enabled local group membership was enumerated from a remote host unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host unix_mitre_attck_lateral_movement: PT-CR-1698: Subrule_Unix_PortForwarding: Possible traffic tunneling mitre_attck_cred_access: PT-CR-2493: Subrule_Access_To_Protected_Storage_Share: Attackers can connect to the "protected_storage" network share to perform actions with encrypted user data using the DPAPI interface mitre_attck_cred_access: PT-CR-917: Subrule_Shares_For_DragonCastle: Consecutive connections to network resources are detected mitre_attck_lateral_movement: PT-CR-211: Remote_Code_Execution_Via_AtSvc: Remote creation of a Windows scheduled task with AtSvc mitre_attck_lateral_movement: PT-CR-226: Remoting_Impacket_PsExec: Remote code execution using Impacket PsExec is detected mitre_attck_lateral_movement: PT-CR-1754: Subrule_Windows_Remote_Logon_With_Explicit_Credentials: Network logon using explicit credentials mitre_attck_lateral_movement: PT-CR-215: Remoting_WinExec: Detected using WinExec utility (Kali) for remote command execution mitre_attck_lateral_movement: PT-CR-1374: Impacket_Like_Execution: Script execution patterns based on the Impacket tool are detected mitre_attck_lateral_movement: PT-CR-1370: Remote_Execution_Via_Custom_Impacket: Lateral movement by executing code via the SMB protocol (using a utility based on the Impacket tool) mitre_attck_lateral_movement: PT-CR-589: Remoting_SysInternals_PsExec: Remote code execution using Sysinternals Suite PsExec is detected mitre_attck_lateral_movement: PT-CR-785: Modify_And_Start_Remote_Service: An attempt to use code execution or lateral movement by changing a system service startup command is detected mitre_attck_lateral_movement: PT-CR-784: Auth_Coerce_With_WebClient_Abuse: Use of WebClient to force HTTP authorization (port 80) on an attacking host via PetitPotam or PrinterBug is detected mitre_attck_lateral_movement: PT-CR-229: Remote_Admin_Share_Access: Access to network resources (disk$ or admin$) of the computer is detected mitre_attck_lateral_movement: PT-CR-1697: Subrule_Windows_Logon: Subrule detects successful and unsuccessful SMB/RDP connection profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. hacking_tools: PT-CR-1356: Sliver_PsExec: Sliver PsExec module start from the C2 framework Sliver is detected hacking_tools: PT-CR-752: Cobalt_Strike_Psexec_Jump: Lateral movement using Cobalt Strike PSexec hacking_tools: PT-CR-202: Impacket_SMBEXEC: Use of Impacket SMBExec for code execution is detected hacking_tools: PT-CR-754: Cobalt_Strike_Service_Move: BOF (ServiceMove) for Cobalt Strike was used hacking_tools: PT-CR-350: Cobalt_Strike_SMB_Beacon: A named pipe specific to Cobalt Strike software was created or connected hacking_tools: PT-CR-748: Cobalt_Strike_Payload_Delivery_Check: Multiple attempts to verify payload delivery using Cobalt Strike software hacking_tools: PT-CR-2632: Subrule_Cobalt_Strike_Service_Creation: Service creation with a network path to an executable file for lateral movement or privilege escalation using Cobalt Strike hacking_tools: PT-CR-1838: NimExec_Activity: The activity of the NimExec tool used to remotely execute commands is detected

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on SMB network flows.

Notes:

  • The logic for Implementation 1 is based around detecting on SMB write requests, which are often used by adversaries to move laterally to another host. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to looking at techniques associated with actively changing remote hosts, instead of passively reading files.
  • The logic for Implementation 2 is based around detection of new processes that were created from a file written to an SMB share. First, a file is remotely written to a host via an SMB share; then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.

Analytic 1 - SMB Write

source="*Zeek:SMB_Files" port="445" AND protocol="smb.write"

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution.

Note: Event ID is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.

Analytic 1 and 2 are very similar, with the key difference being that Implementation 2 is intended to capture multiple attempts at lateral movement originating from the same host within a short time period (5 minutes).

  • smb2_write_request, smb1_write_andx_response is indication of an SMB file write to a Windows Admin File Share: ADMIN$ or C$

  • smb2_tree_connect_request, smb1_tree_connect_andx_request is observed originating from the same host, regardless of write-attempts and regardless of whether or not any connection is successful —just connection attempts— within a specified period of time (REPEATS 5 TIMES WITHIN 5 MINUTES FROM SAME src_ip).

From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.The Service Control Manager (SCM) can be used to copy a file to the ADMIN$ share and execute it as a service. This can be detected by looking for incoming RPC network connections to the Service Control Manager, followed by services.exe spawning a child process.

Analytic 1 - Basic source="*Zeek:SMB_Files" EventCode IN ("smb2_write_request", "smb1_write_andx_response", "smb2_tree_connect_request", "smb1_tree_connect_andx_request") AND (Path="ADMIN$" OR Path="C$")

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named “Wmiprvse.exe”.

The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.

Analytic 1 - Basic

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="*WinEventLog:Security" EventCode="4688") AND ParentImage="*wmiprvse.exe" AND TargetLogonID="0x3e7"

IDDS0033Data source and componentNetwork Share: Network Share AccessDescription

Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).

IDDS0028Data source and componentLogon Session: Logon Session CreationDescription

Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares.

Mitigation

IDM1035NameLimit Access to Resource Over NetworkDescription

Consider disabling Windows administrative shares.

IDM1037NameFilter Network TrafficDescription

Consider using the host firewall to restrict file sharing communications such as SMB.

IDM1027NamePassword PoliciesDescription

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.

IDM1026NamePrivileged Account ManagementDescription

Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.