EXPLORE
Sign In
← Back to Explore
T1021.002

SMB/Windows Admin Shares

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba. Windo...

Windows
67
Detections
4
Sources
26
Threat Actors

BY SOURCE

35sigma20elastic11splunk_escu1crowdstrike_cql

PROCEDURES (37)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Named Pipe4 detections

Auto-extracted: 4 detections for named pipe

Lateral4 detections

Auto-extracted: 4 detections for lateral

Dll Hijack3 detections

Auto-extracted: 3 detections for dll hijack

Remote3 detections

Auto-extracted: 3 detections for remote

Service3 detections

Auto-extracted: 3 detections for service

C22 detections

Auto-extracted: 2 detections for c2

Beacon2 detections

Auto-extracted: 2 detections for beacon

Remote2 detections

Auto-extracted: 2 detections for remote

Wmi2 detections

Auto-extracted: 2 detections for wmi

Service2 detections

Auto-extracted: 2 detections for service

Dll Hijack2 detections

Auto-extracted: 2 detections for dll hijack

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Service2 detections

Auto-extracted: 2 detections for service

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Registry1 detections

Auto-extracted: 1 detections for registry

Wmi1 detections

Auto-extracted: 1 detections for wmi

Beacon1 detections

Auto-extracted: 1 detections for beacon

Dump1 detections

Auto-extracted: 1 detections for dump

Dll Hijack1 detections

Auto-extracted: 1 detections for dll hijack

Credential1 detections

Auto-extracted: 1 detections for credential

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dump1 detections

Auto-extracted: 1 detections for dump

Service1 detections

Auto-extracted: 1 detections for service

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (26)

APT28APT3APT32APT39APT41Aquatic PandaBlackByteBlue MockingbirdChimeraCinnamon TempestDeep PandaFIN13FIN8Fox KittenKe3changLazarus GroupMoses StaffOrangewormPlaySandworm TeamStorm-1811Threat Group-1314ToddyCatTurlaVelvet AntWizard Spider

DETECTIONS (67)

Access To ADMIN$ Network Share
sigmalow
Attempt to Mount SMB Share via Command Line
elasticlow
CobaltStrike Service Installations - Security
sigmahigh
CobaltStrike Service Installations - System
sigmacritical
Copy From Or To Admin Share Or Sysvol Folder
sigmamedium
DCERPC SMB Spoolss Named Pipe
sigmamedium
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
sigmahigh
Detect PsExec With accepteula Flag
splunk_escu
Executable File Written in Administrative SMB Share
splunk_escu
First Time Seen Remote Named Pipe
sigmahigh
First Time Seen Remote Named Pipe - Zeek
sigmahigh
HackTool - SharpMove Tool Execution
sigmahigh
Impacket Lateral Movement Commandline Parameters
splunk_escu
Impacket Lateral Movement smbexec CommandLine Parameters
splunk_escu
Impacket Lateral Movement WMIExec Commandline Parameters
splunk_escu
Impacket PsExec Execution
sigmahigh
Lateral Movement Detection
crowdstrike_cql
Lateral Movement via Startup Folder
elastichigh
Metasploit Or Impacket Service Installation Via SMB PsExec
sigmahigh
Metasploit SMB Authentication
sigmahigh
Mounting Hidden or WebDav Remote Shares
elasticmedium
NullSessionPipe Registry Modification
elasticmedium
Password Provided In Command Line Of Net.EXE
sigmamedium
Potential CobaltStrike Service Installations - Registry
sigmahigh
Potential DCOM InternetExplorer.Application DLL Hijack
sigmacritical
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
sigmacritical
Potential Lateral Tool Transfer via SMB Share
elasticmedium
Potential Machine Account Relay Attack via SMB
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Ransomware Behavior - Note Files by System
elasticmedium
Potential Ransomware Note File Dropped via SMB
elastichigh
Protected Storage Service Access
sigmahigh
PsExec Network Connection
elasticlow
PUA - CSExec Default Named Pipe
sigmamedium
PUA - RemCom Default Named Pipe
sigmamedium
Remote Execution via File Shares
elasticmedium
Remote File Copy to a Hidden Share
elasticmedium
Remote Service Activity via SVCCTL Named Pipe
sigmamedium
Remote Windows Service Installed
elasticmedium
Rundll32 Execution Without Parameters
sigmahigh
Rundll32 UNC Path Execution
sigmahigh
Service Command Lateral Movement
elasticlow
SMB Connections via LOLBin or Untrusted Process
elasticmedium
SMB Create Remote File Admin Share
sigmahigh
SMB Spoolss Name Piped Usage
sigmamedium
SMB Traffic Spike
splunk_escu
smbexec.py Service Installation
sigmahigh
Suspicious Execution from a WebDav Share
elastichigh
Suspicious File Renamed via SMB
elastichigh
Suspicious New-PSDrive to Admin Share
sigmamedium
Suspicious Process Execution via Renamed PsExec Executable
elasticmedium
Suspicious PsExec Execution
sigmahigh
Suspicious PsExec Execution - Zeek
sigmahigh
Suspicious Remote Registry Access via SeBackupPrivilege
elasticmedium
T1047 Wmiprvse Wbemcomn DLL Hijack
sigmahigh
Unsigned or Unencrypted SMB Connection to Share Established
sigmamedium
Windows Admin Share Mount Via Net.EXE
sigmamedium
Windows Internet Hosted WebDav Share Mount Via Net.EXE
sigmahigh
Windows PUA Named Pipe
splunk_escu
Windows Registry File Creation in SMB Share
elasticmedium
Windows RMM Named Pipe
splunk_escu
Windows Share Mount Via Net.EXE
sigmalow
Windows Special Privileged Logon On Multiple Hosts
splunk_escu
Windows Suspicious C2 Named Pipe
splunk_escu
Windows Suspicious Named Pipe
splunk_escu
Wmiprvse Wbemcomn DLL Hijack
sigmahigh
Wmiprvse Wbemcomn DLL Hijack - File
sigmacritical