SMB/Windows Admin Shares (T1021.002)

Information

• Name: SMB/Windows Admin Shares

• ID: T1021.002

• Tactics:

• Technique:

Introduction

Windows Admin Shares (T1021.002) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Remote Services (T1021)." This sub-technique involves adversaries leveraging built-in administrative network shares in Windows operating systems, such as ADMIN$, C$, and IPC$, to gain unauthorized access and execute commands remotely. These shares are created by default on Windows systems and provide administrative-level access when authenticated properly. Attackers frequently exploit these shares to move laterally within a network, escalate privileges, and maintain persistence.

Deep Dive Into Technique

Windows Admin Shares are hidden network shares automatically created by Windows operating systems to facilitate administrative tasks. Common admin shares include:

• ADMIN$: Points to the Windows installation directory (usually C:\Windows).

• C$, D$, etc.: Root shares representing each drive letter on the system.

• IPC$ (Inter-Process Communication): Used for remote administration and communication between processes.

Attackers typically exploit these shares using the following methods and mechanisms:

• Credential Theft and Reuse: Attackers first obtain valid administrative credentials, often through credential dumping, phishing, or brute-force attacks, and then authenticate to the admin shares remotely.

• Remote Command Execution: Attackers use tools like PsExec, SMBexec, or built-in Windows utilities such as net use, copy, or xcopy to connect to admin shares, transfer files, and execute commands remotely.

• Lateral Movement and Persistence: Once an attacker gains access to an admin share, they can copy malicious payloads, scripts, or backdoors onto the target system, enabling them to maintain persistence and move laterally within the network.

• Fileless Techniques: Attackers sometimes execute code directly via admin shares without writing persistent files, reducing the likelihood of detection.

Example of command-line usage:

net use \\TARGET\ADMIN$ /user:DOMAIN\AdminUser Password
copy malicious.exe \\TARGET\ADMIN$\Temp\
PsExec.exe \\TARGET -s C:\Windows\Temp\malicious.exe

When this Technique is Usually Used

Attackers commonly utilize Windows Admin Shares in various attack scenarios, including:

• Initial Access and Reconnaissance:

  • After compromising initial credentials, attackers may use admin shares to remotely access and analyze other systems within the network.

• Lateral Movement:

  • Attackers frequently employ admin shares to pivot between internal systems, spreading malware or ransomware across endpoints.

• Privilege Escalation:

  • Admin shares provide attackers with administrative-level access, allowing them to escalate privileges by executing commands remotely.

• Persistence and Command-and-Control (C2):

  • Attackers may copy persistent backdoors or scheduled tasks to target machines via admin shares to maintain long-term access.

• Data Exfiltration:

  • Attackers can leverage admin shares to transfer sensitive data from compromised hosts to attacker-controlled systems.

How this Technique is Usually Detected

Detection of Windows Admin Shares exploitation typically involves monitoring specific indicators, behaviors, and logs:

• Event Log Monitoring:

  • Monitor Windows Security event logs for unusual or unexpected logins with administrative privileges (Event IDs 4624, 4672).

  • Monitor Windows SMB client and server logs for abnormal SMB connection attempts or SMB errors.

• Network Traffic Analysis:

  • Inspect network traffic for unusual SMB activity, especially SMB connections to admin shares (ADMIN$, IPC$, C$).

  • Utilize network intrusion detection systems (IDS) and intrusion prevention systems (IPS) to detect malicious SMB traffic patterns or known exploits.

• Endpoint Monitoring:

  • Employ endpoint detection and response (EDR) solutions to detect suspicious file transfers, remote command executions, or processes spawned from remote SMB connections.

  • Monitor the execution of remote administration tools such as PsExec, SMBexec, or custom scripts that utilize admin shares.

• Behavioral Analysis:

  • Identify abnormal user behavior, such as administrative accounts accessing multiple endpoints simultaneously or during unusual timeframes.

• Specific Indicators of Compromise (IoCs):

  • Presence of unauthorized binaries or scripts copied to system folders via admin shares.

  • Suspicious scheduled tasks or services created remotely through admin shares.

  • Unusual SMB connections from external IP addresses or internal hosts not typically performing administrative tasks.

Why it is Important to Detect This Technique

Detecting the exploitation of Windows Admin Shares is critical due to the significant impacts it can have on systems and networks:

• Rapid Lateral Movement:

  • Attackers can quickly move laterally across multiple systems, significantly increasing the scope and complexity of an incident.

• Privilege Escalation:

  • Exploiting admin shares often gives attackers immediate administrative privileges, enabling them to bypass standard security controls and gain full control over compromised systems.

• Persistence and Long-Term Compromise:

  • Attackers frequently use admin shares to establish persistent backdoors, making remediation more difficult and costly.

• Data Theft and Loss:

  • Attackers may leverage admin shares to exfiltrate sensitive data, potentially leading to data breaches, regulatory fines, and reputational damage.

• Facilitation of Ransomware Attacks:

  • Admin shares are commonly used by ransomware operators to propagate malware rapidly across networks, increasing the damage and recovery costs.

• Early Detection and Mitigation:

  • Timely identification of admin share misuse allows organizations to contain incidents early, reduce the attack surface, and minimize overall impact.

Examples

Real-world examples demonstrating the exploitation of Windows Admin Shares include:

• NotPetya Ransomware Attack (2017):

  • Attackers leveraged admin shares (ADMIN$, C$) combined with stolen credentials and SMB exploits (EternalBlue) to propagate rapidly within networks, causing billions of dollars in damages worldwide.

  • Tools used: EternalBlue exploit, PsExec, credential harvesting tools.

  • Impact: Significant global disruption, massive financial losses, widespread downtime.

• Ryuk Ransomware Attacks:

  • Ryuk operators commonly exploit admin shares to distribute ransomware payloads across internal networks after obtaining domain administrator credentials.

  • Attack scenario: Attackers initially compromise a single endpoint, escalate privileges, and then use admin shares to deploy ransomware to multiple endpoints simultaneously.

  • Tools used: PsExec, SMBexec, custom scripts.

  • Impact: Extensive data encryption, business interruption, costly recovery efforts.

• APT29 (Cozy Bear) Intrusions:

  • Russian state-sponsored APT29 actors have been known to utilize Windows Admin Shares during espionage operations to move laterally and establish persistence within compromised networks.

  • Tools used: Custom malware payloads, PowerShell scripts, PsExec.

  • Impact: Long-term espionage campaigns, sensitive data theft, persistent network compromise.

• FIN7 Cybercrime Group:

  • FIN7 utilized admin shares extensively to distribute malware payloads and perform lateral movement in targeted financial institutions and retail organizations.

  • Tools used: Carbanak malware, PsExec, SMB utilities.

  • Impact: Large-scale financial fraud, theft of payment card data, extensive financial losses and reputational harm.