Keypoints
- SMB provides file, printer, and IPC sharing on Windows and is often targeted for lateral movement.
- Hidden admin shares like C$, ADMIN$, and IPC$ allow remote file copy and admin functions.
- Adversaries use valid accounts or NTLM hashes to access admin shares, enabling remote execution.
- Authenticated SMB sessions can be abused to run Scheduled Tasks, services, or WMI remotely.
- Detection relies on centralized logging of logons, SMB access, process creation, and network connections.
Description:
- Like a janitor who uses master keys to open any office door and move through a building, adversaries use admin SMB shares to traverse and operate across systems without breaking locks.
- This technique uses Server Message Block with valid credentials or stolen NTLM hashes to access administrative network shares, transfer files, and trigger remote execution, enabling lateral movement and persistence across Windows hosts.
Detection:
- Collect and centralize Windows Security Event Logs (4624, 4625, 5140) and forward them via Windows Event Forwarding or SIEM.
- Alert on successful logons to high-privilege accounts that immediately access administrative shares (C$, ADMIN$, IPC$).
- Monitor for File Share Access events and large or unusual file transfers over SMB using network flow logs and SMB-specific telemetry.
- Correlate SMB access with Process Creation events to detect file drop followed by execution (e.g., rundll32, schtasks, sc.exe, wmiexec-like activity).
- Watch for NTLM authentication anomalies and Pass-the-Hash patterns, such as simultaneous logons from multiple hosts or logons without interactive sessions.
- Use endpoint EDR to flag use of tools and commands that connect to remote shares (net use, copy, robocopy, smbclient) and to capture command-line arguments.
- Reduce false positives by baseline normal admin share usage per account and host; tune thresholds and create allowlists for known admin automation and backup services.
Tactics:
Lateral Movement
Platforms:
Windows
Data Sources:
Command: Command Execution, Logon Session: Logon Session Creation, Network Share: Network Share Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Relationship Citations:
(Citation: McAfee Night Dragon),(Citation: Nearest Neighbor Volexity),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Novetta Blockbuster),(Citation: ESET Hermetic Wizard March 2022),(Citation: Cobalt Strike TTPs Dec 2017),(Citation: CarbonBlack Conti July 2020),(Citation: Symantec Orangeworm April 2018),(Citation: Palo Alto Brute Ratel July 2022),(Citation: Bitdefender Sardonic Aug 2021),(Citation: Trustwave BlackByte 2021),(Citation: rapid7-email-bombing),(Citation: Trend Micro Black Basta October 2022),(Citation: Symantec Chafer February 2018),(Citation: NCC Group APT15 Alive and Strong),(Citation: apt41_dcsocytec_dec2022),(Citation: DFIR Ryuk 2 Hour Speed Run November 2020),(Citation: US-CERT NotPetya 2017),(Citation: SentinelOne LockBit 2.0),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Fortinet reGeorg MAR 2019),(Citation: Symantec Buckeye),(Citation: Unit 42 Lucifer June 2020),(Citation: MDSec Brute Ratel August 2022),(Citation: PsExec Russinovich),(Citation: Talos Nyetya June 2017),(Citation: FireEye Shamoon Nov 2016),(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023),(Citation: Sygnia VelvetAnt 2024A),(Citation: Cylance Cleaver),(Citation: RedCanary Mockingbird May 2020),(Citation: CrowdStrike StellarParticle January 2022),(Citation: DFIR Ryuk’s Return October 2020),(Citation: Cybereason Conti Jan 2021),(Citation: Cybereason Cobalt Kitty 2017),(Citation: FoxIT Wocao December 2019),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: Dell TG-1314),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Talos Olympic Destroyer 2018),(Citation: Alperovitch 2014),(Citation: Crowdstrike GTR2020 Mar 2020),(Citation: SANS Conficker),(Citation: Picus BlackByte 2022),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: NCC Group Chimera January 2021),(Citation: Medium Anchor DNS July 2020),(Citation: Microsoft Albanian Government Attacks September 2022),(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021),(Citation: Cisco BlackByte 2024),(Citation: Checkpoint MosesStaff Nov 2021),(Citation: Crowdstrike HuntReport 2022),(Citation: Fortinet Diavol July 2021),(Citation: Novetta-Axiom),(Citation: Savill 1999),(Citation: Kaspersky ToddyCat Check Logs October 2023),(Citation: Binary Defense Emotes Wi-Fi Spreader),(Citation: Dragos Crashoverride 2018),(Citation: Volexity UPSTYLE 2024),(Citation: Bleeping Computer – Ryuk WoL),(Citation: Sygnia Emperor Dragonfly October 2022),(Citation: Microsoft BlackByte 2023),(Citation: Cybereason Royal December 2022),(Citation: Volexity Ivanti Zero-Day Exploitation January 2024),(Citation: Group-IB RansomHub FEB 2025),(Citation: Kaspersky Turla),(Citation: Dark Vortex Brute Ratel C4),(Citation: Symantec W32.Duqu),(Citation: Malwarebytes Emotet Dec 2017),(Citation: Trend Micro Ransomware Spotlight Play July 2023),(Citation: Palo Alto Lockbit 2.0 JUN 2022),(Citation: CISA Leviathan 2024),(Citation: Novetta Blockbuster RATs),(Citation: Kaspersky Regin),(Citation: Microsoft Prestige ransomware October 2022),(Citation: CISA Iran Albanian Attacks September 2022),(Citation: Securelist BlackEnergy Nov 2014),(Citation: Cycraft Chimera April 2020),(Citation: Microsoft Preventing SMB)