T1021.002 SMB/Windows Admin Shares Mappings

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021.002 SMB/Windows Admin Shares
AC-02 Account Management Protects T1021.002 SMB/Windows Admin Shares
AC-03 Access Enforcement Protects T1021.002 SMB/Windows Admin Shares
AC-04 Information Flow Enforcement Protects T1021.002 SMB/Windows Admin Shares
AC-05 Separation of Duties Protects T1021.002 SMB/Windows Admin Shares
AC-06 Least Privilege Protects T1021.002 SMB/Windows Admin Shares
CA-07 Continuous Monitoring Protects T1021.002 SMB/Windows Admin Shares
CM-02 Baseline Configuration Protects T1021.002 SMB/Windows Admin Shares
CM-05 Access Restrictions for Change Protects T1021.002 SMB/Windows Admin Shares
CM-06 Configuration Settings Protects T1021.002 SMB/Windows Admin Shares
CM-07 Least Functionality Protects T1021.002 SMB/Windows Admin Shares
IA-02 Identification and Authentication (organizational Users) Protects T1021.002 SMB/Windows Admin Shares
SC-07 Boundary Protection Protects T1021.002 SMB/Windows Admin Shares
SI-10 Information Input Validation Protects T1021.002 SMB/Windows Admin Shares
SI-15 Information Output Filtering Protects T1021.002 SMB/Windows Admin Shares
SI-04 System Monitoring Protects T1021.002 SMB/Windows Admin Shares