Dark Mode
Capec-561 Detail
Windows Admin Shares with Stolen Credentials
Detailed Software
Parents: 653
Threats: T71 T75 T279 T283 T385 T388 T398 T402
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.
Explore
-
Acquire known Windows administrator credentials: The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
| Techniques |
|---|
| An adversary purchases breached Windows administrator credentials from the dark web. |
| An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided. |
| An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted. |
| An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes. |
| An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials. |
Experiment
-
Attempt domain authentication: Try each Windows administrator credential against the hidden network shares until the target grants access.
| Techniques |
|---|
| Manually or automatically enter each administrator credential through the target's interface. |
Exploit
-
Malware Execution: An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.
-
Data Exfiltration: The adversary can remotely obtain sensitive data contained within the administrative network shares.
- The system/application is connected to the Windows domain.
- The target administrative share allows remote use of local admin credentials to log into domain systems.
- The adversary possesses a list of known Windows administrator credentials that exist on the target domain.
- A list of known Windows administrator credentials for the targeted domain.
| Low |
|---|
| Once an adversary obtains a known Windows credential, leveraging it is trivial. |
| Integrity | Authorization | Access Control | Authentication | Confidentiality |
|---|---|---|---|---|
| Modify Data | Read Data | Gain Privileges | Gain Privileges | Gain Privileges |
| Read Data |
- APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]
- In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]