# T1021.002 SMB/Windows Admin Shares

-----------------------------------------------------------------------

## Technique Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

## Technique Detection

Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne)(Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as [Net](https://attack.mitre.org/software/S0039), on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.(Citation: Medium Detecting WMI Persistence)

-----------------------------------------------------------------------

### Tactics:

  *   Lateral-Movement

### Platforms:

  * Windows

### Adversary Required Permissions:

  * User

  * Administrator

### System Requirements:

  * SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system or default system admin account.

### Data Sources:

  * **Logon Session:** Logon Session Creation

  * **Network Traffic:** Network Traffic Flow

  * **Network Share:** Network Share Access

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used valid accounts to access SMB shares.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)| 
| Blue Mockingbird | [Blue Mockingbird](https://attack.mitre.org/groups/G0108) has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has transferred implant files using Windows Admin Shares.(Citation: Crowdstrike GTR2020 Mar 2020)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used SMB for lateral movement.(Citation: Symantec Chafer February 2018)| 
| Orangeworm | [Orangeworm](https://attack.mitre.org/groups/G0071) has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.(Citation: Symantec Orangeworm April 2018)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used [Net](https://attack.mitre.org/software/S0039) to use Windows' hidden network shares to copy their tools to remote machines for execution.(Citation: Cybereason Cobalt Kitty 2017)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has run <code>net use</code> to connect to network shares.(Citation: Dragos Crashoverride 2018) | 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SierraAlfa accesses the <code>ADMIN$</code> share via SMB to conduct lateral movement.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)| 
| Threat Group-1314 | [Threat Group-1314](https://attack.mitre.org/groups/G0028) actors mapped network drives using <code>net use</code>.(Citation: Dell TG-1314)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symantec Buckeye)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used administrative accounts to connect over SMB to targeted users.(Citation: CrowdStrike StellarParticle January 2022)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) used <code>net use</code> commands to connect to lateral systems within a network.(Citation: Kaspersky Turla)| 
| Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) uses net.exe to connect to network shares using <code>net use</code> commands with compromised credentials.(Citation: Alperovitch 2014)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has mapped network drives using [Net](https://attack.mitre.org/software/S0039) and administrator credentials.(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) actors have been known to copy files to the network shares of other computers to move laterally.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1021/002)

  * [Capec](https://capec.mitre.org/data/definitions/561.html)

  * [Wikipedia Server Message Block](https://en.wikipedia.org/wiki/Server_Message_Block), Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.

  * [Technet Rpc](https://technet.microsoft.com/en-us/library/cc787851.aspx), Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.

  * [Microsoft Admin Shares](http://support.microsoft.com/kb/314984), Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.

  * [Lateral Movement Payne](https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts), Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.

  * [Windows Event Forwarding Payne](https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem), Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.

  * [Medium Detecting Wmi Persistence](https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96), French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- **APT28**
    * Exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.
- **Turla** 
    * Uses SMB to laterally transfer tools, and move throughout a domain. 
     * The attacks are known to have used at least two zero-day exploits:
         * CVE-2013-5065 – Privilege escalation vulnerability in Windows XP and Windows 2003
         * CVE-2013-3346 – Arbitrary code-execution vulnerability in Adobe Reader
    * **NOTE:** Although CVE's have patches they are still potential risk factors. Keep in mind that MP may run legacy systems and their patch management may need improvement. 

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1 |
| Turla | X | 2, 3 |

## Detection Blindspots

- Incorrect sensor placement will make identifying this TTP difficult. 
- If system admins are performing bad practices and mapping to C$, then this traffic will blend in.
- Encrypted SMBv3+ will be difficult to identify 

## Analytical References

  * [Fireeye Current Threat Report](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf)
  * [Wannacry Malware Analysis](https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html)
  * [CISA TA17-132A](https://us-cert.cisa.gov/ncas/alerts/TA17-132A)
  * [Microsoft - SMB COM Codes](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/32b5d4b7-d90b-483f-ad6a-003fd110f0ec)
  * [SMB Logs (net user command example)](https://docs.zeek.org/en/master/logs/smb.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

```
- Adversaries utilize the default Windows admin shares (c$, admins$, IPC$) to copy malware and move laterally.
- Example command: net use m: \\192.168.189.155\c$ /USER:kirtar  used to map c$
- This creates a handful of Security log events: EventID 4688 Process Create and EventID 4648 Logon attempt with explicit credentials.
- When hunting DCERPC/SMB connections, it may be useful to identify logons utilizing kerberos, tacacs+ or LDAP. 
```

#### Analytic 1

  * **Information:** Detect net use at source to map share

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** 4648 = A logon was attempted using explicit credentials

  * **Query_1:** ```Event_ID:1 AND <ip src>:<internal> AND <ip dst>:<internal>  AND <net.exe>```
  
  * **Query_2:** ```Event_ID:4648 AND <ip src>:<internal>```


#### Analytic 2

  * **Information:** Identify file creations that come from processes that are spawned from event id 3

  * **Source:** Security Logs, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Replace *process name* with what your interrogating!

  * **Query_1:** ```Event_ID:11 OR Event_ID: 3 AND *process name*```


#### Analytic 3

  * **Information:** Detect net use result at the destination

  * **Source:** Sysmon, Winlogbeats

  * **Tool:** Kibana

  * **Notes:** Look for all 3 of the following events from query 1 occurring immediately at the same time (provides local authentication with admins privs). Then look to match the source IP and determine the SID accessing the network share (query 2).

  * **Query_1:** ```event.code: ("4776" OR "4672" OR "4624")```
  
  * **Query_2:** ```event.code: 5140```


#### Analytic 4

  * **Information:** Detect net use result at the destination

  * **Source:** Live System / Remote Connection

  * **Tool:** Powershell

  * **Notes:** Modify your InstanceID and dates according to your needs.

  * **Query_1:** ```Get-EventLog -LogName Security -InstanceId xxxx -Before (Get-Date) -After (Get-Date).AddDays(-1)```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Detect Internal SMB Traffic
- The goal is to hunt for individual hosts reaching into many other hosts over SMB or hosts that should have limited permissions reaching into subnets they shouldn't be able to access. Generally speaking, suspicious SMB traffic.
- EternalBlue functions by forcing the use of SMBv1. Due to the nature of EternalBlue, the string "transaction2_secondary" will also be present in the traffic. SMBv1 and the secondary transaction are common indicators of EternalBlue being used.
- IPC\$ is not actually a share but exists to allow for subsequent named pipe connections to a server.
- **Turla**
    * Known to use _net use_ commands to move laterally.
        * Example command: `net use m: \\192.168.189.155\c$ /USER:kirtar` is used to map C\$
    * When hunting DCERPC/SMB connections, it may be useful to identify logons utilizing kerberos, tacacs+ or LDAP.

**SMB Analytics** 
- Combine two or more simple indicators in SMB and DCE-RPC traffic to detect ATT&CK-like activity with a greater degree of confidence.

    SMB Lateral Movement indicator (e.g., SMB File Write to a Windows Admin File Share: ADMIN$ or C$ only) is observed together with a DCE-RPC Execution indicator against the same (targeted) host, within a specified period of time.
    
        - T1021.002 Remote Services: SMB/Windows Admin Shares (file shares only, not named pipes), and
        - T1570 Lateral Tool Transfer, and
        
    **One of the following:**
    
        - T1569.002 System Services: Service Execution
        - T1047 Windows Management Instrumentation
        - T1053.002 Scheduled Task/Job: At (Windows)
        - T1053.005 Scheduled Task/Job: Scheduled Task

- Possible DCERPC operations:  These will be seen in molochs dcerpc.cmd field.
    - svcctl - CreateServiceW
    - svcctl - CreateServiceA
    - svcctl - StartServiceW
    - svcctl - StartServiceA
    - IWbemServices - ExecMethod
    - IWbemServices - ExecMethodAsync
    - atsvc - JobAdd
    - ITaskSchedulerService - SchRpcRegisterTask
    - ITaskSchedulerService - SchRpcRun
    - ITaskSchedulerService - SchRpcEnableTask

- Preference would be to `detect smb2_write_response event (instead of smb2_write_request)`, because it would confirm the file was actually written to the remote destination





#### Analytic 1

  * **Information:** Look for signs of valid user acocunts being used to move laterally on the network. This may be done remotely or locally.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** Identify all SMB shares, and pull out a unique list of paths. Identify any IPC$ C$ or Admin$.

  * **Query Arkime:** 
  - `protocols == [smb, dcerpc]`
  - `smb.share == EXISTS!`
  - `smb.share == *$*`
  - `smb.share == [*ADMIN$, C$, *IPC$] && ip.src == [10/8, 172.16/12, 192.168/16] && ip.dst == [10/8, 172.16/12, 192.168/16]`
  
  * **Query Kibana:** 
  - `protocol: (smb or dcerpc) && smb.user: (admin* or Admin*)`

#### Analytic 2

  * **Information:** Commands here are examples and should be modified to what is observed.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** The below are possible examples and should be modified as needed.

  * **Arkime Query:** 
      - `dcerpc.cmd == SchRpcGetLastRunInfo *`
      - `dcerpc.cmd == SchRpcRegisterTask *`
      - `dcerpc.cmd == SchRpcDelete *`
      - `dcerpc.cmd == ComplexPing *`
  
  * **Kibana Query:** 
      - `protocol: (smb or dcerpc) && smb.user: <admin account>`

#### Analytic 3

  * **Information:** Identify any admin level account utilizing smb to laterally move around the network.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Arkime Query:** 
      - `smb.user == EXISTS!`
      - `smb.user == <admin account>`
  
  * **Kibana Query:** 
      - `protocol: (smb or dcerpc) && smb.user: <admin account>`

#### Analytic 4

  * **Information:** Multiple DCERPC commands coming from one host should be investigated.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 'Exporting unique DCERPC commands with counts will help identify commands that are being ran across the network. Common network enumeration commands should be analyzed. [BZAR Lateral Movement](https://github.com/mitre-attack/bzar)'

  * **Arkime Query:** 
      - `dcerpc.cmd == EXISTS!`
      - `ip.src == <host> && dcerpc.cmd == <rpc command>`
  
  * **Kibana Query:** 
      - `protocol: (smb or dcerpc) && smb.user: (admin* or Admin*)`
  
#### Analytic 5

  * **Information:** Connecting to SMB shares using IP address instead of Hostname. This indicates human interaction.
  
  * **Source:** SMB logs from Suricata, Bro, Windows Audits

  * **Tool:** Kibana, Arkime
  
  * **Query Pseudo:** ```path.keyword: /\\\\[0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}[\.][0-9]{1,3}\\```

