T1021.002: SMB/Windows Admin Shares
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$
, ADMIN$
, and IPC$
. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
remote_work: PT-CR-1937: SMB_RPC_Internet_Connection: Network interaction with an internet source via SMB or RPC that can be used by attackers to get initial access mitre_attck_execution: PT-CR-2497: Subrule_Suspicious_RPC_Server: Successful connection to the RPC server mitre_attck_execution: PT-CR-2119: Suspicious_RPC_Server: Possible connection to the Mimikatz RPC server. Attackers can connect to the Mimikatz RPC server on victim's computer to remotely execute commands using the mimikatz.py tool from the Impacket toolkit. mitre_attck_discovery: PT-CR-2547: Subrule_LocalGroupListMembers: A security-enabled local group membership was enumerated from a remote host mitre_attck_discovery: PT-CR-2151: Subrule_Net_Share_Access: A network directory object was accessed. Attackers use network directory objects for lateral movement. mitre_attck_discovery: PT-CR-2150: Net_Tool_Usage: The NET utility was used. Attackers use the NET utility with the "use" parameter for network reconnaissance, accessing network shares, credential checks, and lateral movement. mitre_attck_discovery: PT-CR-2548: LocalGroupListMembers_From_Remote_Host: A security-enabled local group membership was enumerated from a remote host unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host unix_mitre_attck_lateral_movement: PT-CR-1698: Subrule_Unix_PortForwarding: Possible traffic tunneling mitre_attck_cred_access: PT-CR-2493: Subrule_Access_To_Protected_Storage_Share: Attackers can connect to the "protected_storage" network share to perform actions with encrypted user data using the DPAPI interface mitre_attck_cred_access: PT-CR-917: Subrule_Shares_For_DragonCastle: Consecutive connections to network resources are detected mitre_attck_lateral_movement: PT-CR-211: Remote_Code_Execution_Via_AtSvc: Remote creation of a Windows scheduled task with AtSvc mitre_attck_lateral_movement: PT-CR-226: Remoting_Impacket_PsExec: Remote code execution using Impacket PsExec is detected mitre_attck_lateral_movement: PT-CR-1754: Subrule_Windows_Remote_Logon_With_Explicit_Credentials: Network logon using explicit credentials mitre_attck_lateral_movement: PT-CR-215: Remoting_WinExec: Detected using WinExec utility (Kali) for remote command execution mitre_attck_lateral_movement: PT-CR-1374: Impacket_Like_Execution: Script execution patterns based on the Impacket tool are detected mitre_attck_lateral_movement: PT-CR-1370: Remote_Execution_Via_Custom_Impacket: Lateral movement by executing code via the SMB protocol (using a utility based on the Impacket tool) mitre_attck_lateral_movement: PT-CR-589: Remoting_SysInternals_PsExec: Remote code execution using Sysinternals Suite PsExec is detected mitre_attck_lateral_movement: PT-CR-785: Modify_And_Start_Remote_Service: An attempt to use code execution or lateral movement by changing a system service startup command is detected mitre_attck_lateral_movement: PT-CR-784: Auth_Coerce_With_WebClient_Abuse: Use of WebClient to force HTTP authorization (port 80) on an attacking host via PetitPotam or PrinterBug is detected mitre_attck_lateral_movement: PT-CR-229: Remote_Admin_Share_Access: Access to network resources (disk$ or admin$) of the computer is detected mitre_attck_lateral_movement: PT-CR-1697: Subrule_Windows_Logon: Subrule detects successful and unsuccessful SMB/RDP connection profiling: PT-CR-228: Domain_Controller_Abnormal_Access: Suspicious logon to a domain controller. Authentication data differ from the collected profile. profiling: PT-CR-1040: Release_Build_Agent_Abnormal_Access: Suspicious logon to a build agent server. Authentication data differ from the collected profile. profiling: PT-CR-1042: Update_Server_Abnormal_Access: Suspicious login to the update server (FLUS/GUS). Authentication data differs from the collected profile. profiling: PT-CR-1810: Critical_Server_Abnormal_Access: Suspicious logon to a critical server. Authentication data differ from the collected profile. profiling: PT-CR-1052: Antivirus_Server_Abnormal_Access: Suspicious logon to an antivirus server. Authentication data differ from the collected profile. profiling: PT-CR-1045: VCS_Server_Abnormal_Access: Suspicious logon to a version control system. Authentication data differ from the collected profile. profiling: PT-CR-1035: App_1C_User_PC_Abnormal_Access: A suspicious logon to a host with access to the 1C application. Authentication data differ from the collected profile. profiling: PT-CR-1812: App_1C_Server_Abnormal_Access: Suspicious logon to the 1C application server. Authentication data differ from the collected profile. profiling: PT-CR-1070: Top_Managers_Abnormal_Access: Suspicious logon to a top manager workstation. Authentication data differ from the collected profile. profiling: PT-CR-1044: Developer_PC_Abnormal_Access: Suspicious logon to a developer's computer. Authentication data differ from the collected profile. hacking_tools: PT-CR-1356: Sliver_PsExec: Sliver PsExec module start from the C2 framework Sliver is detected hacking_tools: PT-CR-752: Cobalt_Strike_Psexec_Jump: Lateral movement using Cobalt Strike PSexec hacking_tools: PT-CR-202: Impacket_SMBEXEC: Use of Impacket SMBExec for code execution is detected hacking_tools: PT-CR-754: Cobalt_Strike_Service_Move: BOF (ServiceMove) for Cobalt Strike was used hacking_tools: PT-CR-350: Cobalt_Strike_SMB_Beacon: A named pipe specific to Cobalt Strike software was created or connected hacking_tools: PT-CR-748: Cobalt_Strike_Payload_Delivery_Check: Multiple attempts to verify payload delivery using Cobalt Strike software hacking_tools: PT-CR-2632: Subrule_Cobalt_Strike_Service_Creation: Service creation with a network path to an executable file for lateral movement or privilege escalation using Cobalt Strike hacking_tools: PT-CR-1838: NimExec_Activity: The activity of the NimExec tool used to remotely execute commands is detected
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on SMB network flows. Notes:
Analytic 1 - SMB Write
|
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution. Note: Event ID is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing & decoding captured SMB2 network traffic. Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints. Analytic 1 and 2 are very similar, with the key difference being that Implementation 2 is intended to capture multiple attempts at lateral movement originating from the same host within a short time period (5 minutes).
From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.The Service Control Manager (SCM) can be used to copy a file to the ADMIN$ share and execute it as a service. This can be detected by looking for incoming RPC network connections to the Service Control Manager, followed by services.exe spawning a child process. Analytic 1 - Basic
|
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named “Wmiprvse.exe”. The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network. Analytic 1 - Basic
|
---|
ID | DS0033 | Data source and component | Network Share: Network Share Access | Description | Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB). |
---|
ID | DS0028 | Data source and component | Logon Session: Logon Session Creation | Description | Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems. Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares. |
---|
Mitigation
ID | M1035 | Name | Limit Access to Resource Over Network | Description | Consider disabling Windows administrative shares. |
---|
ID | M1037 | Name | Filter Network Traffic | Description | Consider using the host firewall to restrict file sharing communications such as SMB. |
---|
ID | M1027 | Name | Password Policies | Description | Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems. |
---|