ID | Name |
---|---|
T1021.001 | Remote Desktop Protocol |
T1021.002 | SMB/Windows Admin Shares |
T1021.003 | Distributed Component Object Model |
T1021.004 | SSH |
T1021.005 | VNC |
T1021.006 | Windows Remote Management |
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$
, ADMIN$
, and IPC$
. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,[1] to interact with systems using remote procedure calls (RPCs),[2] transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.[3]
ID | Name | Description |
---|---|---|
S0504 | Anchor | |
G0007 | APT28 |
APT28 has mapped network drives using Net and administrator credentials.[5] |
G0016 | APT29 |
APT29 has used administrative accounts to connect over SMB to targeted users.[6] |
G0022 | APT3 |
APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[7] |
G0050 | APT32 |
APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[8] |
G0087 | APT39 | |
G0096 | APT41 |
APT41 has transferred implant files using Windows Admin Shares.[10] |
S0089 | BlackEnergy |
BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.[11] |
G0108 | Blue Mockingbird |
Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.[12] |
G0114 | Chimera |
Chimera has used Windows admin shares to move laterally.[13][14] |
S0154 | Cobalt Strike |
Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.[15] |
S0608 | Conficker |
Conficker variants spread through NetBIOS share propagation.[16] |
S0575 | Conti |
Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.[17][18] |
G0009 | Deep Panda |
Deep Panda uses net.exe to connect to network shares using |
S0659 | Diavol |
Diavol can spread throughout a network via SMB prior to encryption.[20] |
S0038 | Duqu |
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[21] |
S0367 | Emotet |
Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. [22] |
G0061 | FIN8 |
FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.[23] |
G0117 | Fox Kitten |
Fox Kitten has used valid accounts to access SMB shares.[24] |
S0698 | HermeticWizard |
HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.[25] |
G0004 | Ke3chang |
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[26][27] |
S0236 | Kwampirs |
Kwampirs copies itself over network shares to move laterally on a victim network.[28] |
G0032 | Lazarus Group |
Lazarus Group malware SierraAlfa accesses the |
S0532 | Lucifer | |
S0039 | Net |
Lateral movement can be done with Net through |
S0056 | Net Crawler |
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[33] |
S0368 | NotPetya |
NotPetya can use PsExec, which interacts with the |
S0365 | Olympic Destroyer |
Olympic Destroyer uses PsExec to interact with the |
G0116 | Operation Wocao |
Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.[38] |
G0071 | Orangeworm |
Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[28] |
S0029 | PsExec |
PsExec, a tool that has been used by adversaries, writes programs to the |
S0019 | Regin |
The Regin malware platform can use Windows admin shares to move laterally.[39] |
S0446 | Ryuk |
Ryuk has used the C$ network share for lateral movement.[40] |
G0034 | Sandworm Team |
Sandworm Team has run |
S0140 | Shamoon |
Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.[42] |
S0603 | Stuxnet | |
G0028 | Threat Group-1314 |
Threat Group-1314 actors mapped network drives using |
G0010 | Turla |
Turla used |
G0102 | Wizard Spider |
Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[46][47] |
S0672 | Zox | |
S0350 | zwShell |
zwShell has been copied over network shares to move laterally.[49] |
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic |
Consider using the host firewall to restrict file sharing communications such as SMB. [50] |
M1035 | Limit Access to Resource Over Network |
Consider disabling Windows administrative shares. |
M1027 | Password Policies |
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
M1026 | Privileged Account Management |
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems. |
Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. [51][52] Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.[53]