|T1021.001||Remote Desktop Protocol|
|T1021.002||SMB/Windows Admin Shares|
|T1021.003||Distributed Component Object Model|
|T1021.006||Windows Remote Management|
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include
IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized
APT28 has mapped network drives using Net and administrator credentials.
APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.
APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.
APT41 has transferred implant files using Windows Admin Shares.
BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.
Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.
|S1063||Brute Ratel C4||
Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.
Chimera has used Windows admin shares to move laterally.
Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.
Conficker variants spread through NetBIOS share propagation.
Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.
Deep Panda uses net.exe to connect to network shares using
Diavol can spread throughout a network via SMB prior to encryption.
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.
Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced. 
FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.
Fox Kitten has used valid accounts to access SMB shares.
HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.
Kwampirs copies itself over network shares to move laterally on a victim network.
Lazarus Group malware SierraAlfa accesses the
Moses Staff has used batch scripts that can enable SMB on a compromised host.
Lateral movement can be done with Net through
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.
NotPetya can use PsExec, which interacts with the
Olympic Destroyer uses PsExec to interact with the
During Operation Wocao, threat actors used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.
Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.
PsExec, a tool that has been used by adversaries, writes programs to the
The Regin malware platform can use Windows admin shares to move laterally.
Ryuk has used the C$ network share for lateral movement.
Sandworm Team has copied payloads to the
Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.
During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.
Threat Group-1314 actors mapped network drives using
Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.
zwShell has been copied over network shares to move laterally.
|M1037||Filter Network Traffic||
Consider using the host firewall to restrict file sharing communications such as SMB. 
|M1035||Limit Access to Resource Over Network||
Consider disabling Windows administrative shares.
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.
|M1026||Privileged Account Management||
Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.
|DS0028||Logon Session||Logon Session Creation||
Monitor for logon behavior (ex: EID 4624 Logon Type 3) using Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. 
|DS0033||Network Share||Network Share Access||
Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution.
|Network Traffic Flow||
Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Implementation 1: SMB Write
Implementation 2: SMB Copy and Execution