Skip to content
Atomic Red Team
atomics
T1021.002

T1021.002 - Remote Services: SMB/Windows Admin Shares

Description from ATT&CK (opens in a new tab)

Adversaries may use Valid Accounts (opens in a new tab) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts (opens in a new tab) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job (opens in a new tab), Service Execution (opens in a new tab), and Windows Management Instrumentation (opens in a new tab). Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash (opens in a new tab) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

Atomic Tests


Atomic Test #1 - Map admin share

Connecting To Remote Shares

Supported Platforms: Windows

auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3

Inputs:

NameDescriptionTypeDefault Value
user_nameUsernamestringDOMAIN\Administrator
share_nameExamples C$, IPC$, Admin$stringC$
passwordPasswordstringP@ssw0rd1
computer_nameTarget Computer NamestringTarget

Attack Commands: Run with command_prompt!

cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"


Atomic Test #2 - Map Admin Share PowerShell

Map Admin share utilizing PowerShell

Supported Platforms: Windows

auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5

Inputs:

NameDescriptionTypeDefault Value
share_nameExamples C$, IPC$, Admin$stringC$
map_nameMapped Drive Letterstringg
computer_nameTarget Computer NamestringTarget

Attack Commands: Run with powershell!

New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}


Atomic Test #3 - Copy and Execute File with PsExec

Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (opens in a new tab).

Supported Platforms: Windows

auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf

Inputs:

NameDescriptionTypeDefault Value
command_pathFile to copy and executepathC:\Windows\System32\cmd.exe
remote_hostRemote computer to receive the copy and execute the filestring\\localhost
psexec_exePath to PsExecstringPathToAtomicsFolder\..\ExternalPayloads\PsExec.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}

Dependencies: Run with powershell!

Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
Check Prereq Commands:
if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_exe}" -Force


Atomic Test #4 - Execute command writing output to local Admin Share

Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.

Supported Platforms: Windows

auto_generated_guid: d41aaab5-bdfe-431d-a3d5-c29e9136ff46

Inputs:

NameDescriptionTypeDefault Value
output_fileRemote computer to receive the copy and execute the filestringoutput.txt
command_to_executeCommand to execute for output.stringhostname

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1