Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1021.002 | SMB/Windows Admin Shares |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of SMB/Windows Admin Shares exploitation attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
SMB/Windows Admin Shares attacks involve adversaries exploiting Windows file-sharing services (such as Server Message Block or SMB) and administrative shares (e.g., C$ or ADMIN$) to gain unauthorized access to sensitive files, move laterally within a network, or escalate privileges. Attackers often use these shares to exfiltrate data, deploy malware, or maintain persistence on compromised systems. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to detect suspicious SMB/Windows Admin Shares activity, such as unauthorized access or exploitation of shared resources.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster, more efficient detection of malicious activity without impacting system performance. CAMS helps identify abnormal behaviors, such as unauthorized file access or attempts to exploit SMB/Windows Admin Shares for lateral movement, providing proactive defense against these evasive attack techniques.
References
|