ĪPT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement. ĪPT29 has used administrative accounts to connect over SMB to targeted users. ĪPT28 has mapped network drives using Net and administrator credentials. Īnchor can support windows execution via SMB shares. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB, to interact with systems using remote procedure calls (RPCs), transfer files, and run transferred binaries through remote Execution. Example network shares include C$, ADMIN$, and IPC$. Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Linux and macOS implementations of SMB typically use Samba. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network.
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. The adversary may then perform actions as the logged-on user. Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).