Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$
, ADMIN$
, and IPC$
. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-17 | Remote Access | Protects | T1021.002 | SMB/Windows Admin Shares | |
AC-2 | Account Management | Protects | T1021.002 | SMB/Windows Admin Shares | |
AC-3 | Access Enforcement | Protects | T1021.002 | SMB/Windows Admin Shares | |
AC-4 | Information Flow Enforcement | Protects | T1021.002 | SMB/Windows Admin Shares | |
AC-5 | Separation of Duties | Protects | T1021.002 | SMB/Windows Admin Shares | |
AC-6 | Least Privilege | Protects | T1021.002 | SMB/Windows Admin Shares | |
CA-7 | Continuous Monitoring | Protects | T1021.002 | SMB/Windows Admin Shares | |
CM-2 | Baseline Configuration | Protects | T1021.002 | SMB/Windows Admin Shares | |
CM-5 | Access Restrictions for Change | Protects | T1021.002 | SMB/Windows Admin Shares | |
CM-6 | Configuration Settings | Protects | T1021.002 | SMB/Windows Admin Shares | |
CM-7 | Least Functionality | Protects | T1021.002 | SMB/Windows Admin Shares | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1021.002 | SMB/Windows Admin Shares | |
SC-7 | Boundary Protection | Protects | T1021.002 | SMB/Windows Admin Shares | |
SI-10 | Information Input Validation | Protects | T1021.002 | SMB/Windows Admin Shares | |
SI-15 | Information Output Filtering | Protects | T1021.002 | SMB/Windows Admin Shares | |
SI-4 | System Monitoring | Protects | T1021.002 | SMB/Windows Admin Shares | |
network_security_groups | Network Security Groups | technique_scores | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
|
azure_sentinel | Azure Sentinel | technique_scores | T1021.002 | SMB/Windows Admin Shares |
Comments
The Azure Sentinel Hunting "Anomalous Resource Access" query can identify potential lateral movement via use of valid accounts to access network shares (Windows Event 4624:3).
References
|
microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1021.002 | SMB/Windows Admin Shares |
Comments
This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.
This control's "Data exfiltration over SMB (external ID 2030)" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.
References
|
azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1021.002 | SMB/Windows Admin Shares |
Comments
This control can detect anomalous traffic with respect to remote access protocols and groups.
References
|