1. Home
  2. Techniques
  3. Enterprise
  4. Remote Services
  5. SMB/Windows Admin Shares

Remote Services: SMB/Windows Admin Shares

ID Name
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.003 Distributed Component Object Model
T1021.004 SSH
T1021.005 VNC
T1021.006 Windows Remote Management
T1021.007 Cloud Services
T1021.008 Direct Cloud VM Connections

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,[1] to interact with systems using remote procedure calls (RPCs),[2] transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.[3]

ID: T1021.002
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: Windows
Version: 1.3
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0025 2016 Ukraine Electric Power Attack

During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized net use to connect to network shares.[4]
S0504 Anchor

Anchor can support windows execution via SMB shares.[5]
G0007 APT28

APT28 has mapped network drives using Net and administrator credentials.[6]
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 leveraged SMB to transfer files and move laterally.[7]
G0022 APT3

APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[8]
G0050 APT32

APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[9]
G0087 APT39

APT39 has used SMB for lateral movement.[10]
G0096 APT41

APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).[11][12]
G0143 Aquatic Panda

Aquatic Panda used remote shares to enable lateral movement in victim environments.[13]
G1043 BlackByte

BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.[14][15][16]
S1180 BlackByte Ransomware

BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.[17]
S0089 BlackEnergy

BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.[18]
G0108 Blue Mockingbird

Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.[19]
S1063 Brute Ratel C4

Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.[20][21][22]
G0114 Chimera

Chimera has used Windows admin shares to move laterally.[23][24]
G1021 Cinnamon Tempest

Cinnamon Tempest has used SMBexec for lateral movement.[25]
S0154 Cobalt Strike

Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.[26][27]
S0608 Conficker

Conficker variants spread through NetBIOS share propagation.[28]
S0575 Conti

Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.[29][30]
C0029 Cutting Edge

During Cutting Edge, threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.[31]
G0009 Deep Panda

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[32]
S0659 Diavol

Diavol can spread throughout a network via SMB prior to encryption.[33]
S0038 Duqu

Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[34]
S0367 Emotet

Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. [35][36]

G1016 FIN13

FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.[37]
G0061 FIN8

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.[38][39]
G0117 Fox Kitten

Fox Kitten has used valid accounts to access SMB shares.[40]
S0698 HermeticWizard

HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.[41]
C0038 HomeLand Justice

During HomeLand Justice, threat actors used SMB for lateral movement.[42][43]
G0004 Ke3chang

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[44][45]
S0236 Kwampirs

Kwampirs copies itself over network shares to move laterally on a victim network.[46]
G0032 Lazarus Group

Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[47][48]
C0049 Leviathan Australian Intrusions

Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.[49]
S1199 LockBit 2.0

LockBit 2.0 has the ability to move laterally via SMB.[50][51]
S1202 LockBit 3.0

LockBit 3.0 can use SMB for lateral movement.[52]
S0532 Lucifer

Lucifer can infect victims by brute forcing SMB.[53]
G1009 Moses Staff

Moses Staff has used batch scripts that can enable SMB on a compromised host.[54]
S0039 Net

Lateral movement can be done with Net through net use commands to connect to the on remote systems.[55]
S0056 Net Crawler

Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[56]
S0368 NotPetya

NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[57][58][59]
S0365 Olympic Destroyer

Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.[60][59]
C0048 Operation MidnightEclipse

During Operation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.[61]
C0014 Operation Wocao

During Operation Wocao, threat actors used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.[62]
G0071 Orangeworm

Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[46]
G1040 Play

Play has used Cobalt Strike to move laterally via SMB.[63]
S0029 PsExec

PsExec, a tool that has been used by adversaries, writes programs to the ADMIN$ network share to execute commands on remote systems.[59]
S1242 Qilin

Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.[64]
S1212 RansomHub

RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.[65]
S1187 reGeorg

reGeorg has the ability to tunnel SMB sessions.[66]
S0019 Regin

The Regin malware platform can use Windows admin shares to move laterally.[67]
S1073 Royal

Royal can use SMB to connect to move laterally.[68]
S0446 Ryuk

Ryuk has used the C$ network share for lateral movement.[69]
G0034 Sandworm Team

Sandworm Team has copied payloads to the ADMIN$ share of remote systems and run net use to connect to network shares.[4][70]
S0140 Shamoon

Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.[71]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.[72]
G1046 Storm-1811

Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.[73]
S0603 Stuxnet

Stuxnet propagates to available network shares.[74]
G0028 Threat Group-1314

Threat Group-1314 actors mapped network drives using net use.[75]
G1022 ToddyCat

ToddyCat has used locally mounted network shares for lateral movement through targated environments.[76]
G0010 Turla

Turla used net use commands to connect to lateral systems within a network.[77]
G1047 Velvet Ant

Velvet Ant has transferred tools within victim environments using SMB.[78]
G0102 Wizard Spider

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[79][80]
S0672 Zox

Zox has the ability to use SMB for communication.[81]
S0350 zwShell

zwShell has been copied over network shares to move laterally.[82]

Mitigations

ID Mitigation Description
M1037 Filter Network Traffic

Consider using the host firewall to restrict file sharing communications such as SMB. [83]
M1035 Limit Access to Resource Over Network

Consider disabling Windows administrative shares.
M1027 Password Policies

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
M1026 Privileged Account Management

Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0530 Multi-Event Detection for SMB Admin Share Lateral Movement AN1468

An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.

References

  1. Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.
  2. Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
  3. Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.
  4. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  5. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  6. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  7. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  8. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  9. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  10. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  11. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  12. DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024.
  13. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  14. Huseyin Can Yuceel. (2022, February 21). TTPs used by BlackByte Ransomware Targeting Critical Infrastructure. Retrieved December 16, 2024.
  15. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  16. James Nutland, Craig Jackson, Terryn Valikodath, & Brennan Evans. (2024, August 28). BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks. Retrieved December 16, 2024.
  17. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  18. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  19. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  20. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  21. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  22. Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023.
  23. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  24. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  25. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  26. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  27. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  28. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  29. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  30. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  31. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  32. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  33. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  34. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  35. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  36. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  37. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  38. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  39. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  40. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  41. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  42. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  1. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  2. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  3. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  4. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  7. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  8. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  9. SentinelOne. (n.d.). LockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal. Retrieved January 24, 2025.
  10. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  11. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  12. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  13. Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.
  14. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  15. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  16. US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
  17. Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
  18. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  19. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  20. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  21. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  22. Hacioglu, S. (2025, March 10). Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024. Retrieved September 26, 2025.
  23. Alfano, V. et al. (2025, February 12). RansomHub Never Sleeps Episode 1: The evolution of modern ransomware. Retrieved March 17, 2025.
  24. FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
  25. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  26. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  27. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
  28. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  29. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.
  30. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  31. Tyler McGraw, Thomas Elkins, and Evan McCann. (2024, May 10). Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators. Retrieved January 31, 2025.
  32. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  33. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.
  34. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  35. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  36. Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
  37. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  38. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  39. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  40. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  41. Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020.