Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares includeC$,ADMIN$, andIPC$.Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
The Net utility can be used to connect to Windows admin shares on remote systems using
net usecommands with valid credentials. (Citation: Technet Net Use)Detection: Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. (Citation: Lateral Movement Payne) (Citation: Windows Event Forwarding Payne) Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.
Platforms: Windows
Data Sources: Process use of network, Authentication logs, Process command-line parameters, Process monitoring
Permissions Required: Administrator
System Requirements: File and printer sharing over SMB enabled. Host/network firewalls not blocking SMB ports between source and destination. Use of domain account in administrator group on remote system or default system admin account.
Connecting To Remote Shares
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| share_name | Examples C$, IPC$, Admin$ | String | C$ |
| user_name | Username | String | DOMAIN\Administrator |
| password | Password | String | P@ssw0rd1 |
| computer_name | Target Computer Name | String | Target |
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"