security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1077/T1077.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

63 lines
2.7 KiB
Markdown
Raw Blame History

# T1077 - Windows Admin Shares
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1077)
<blockquote>Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>.
Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Map admin share](#atomic-test-1---map-admin-share)
- [Atomic Test #2 - Map Admin Share PowerShell](#atomic-test-2---map-admin-share-powershell)
<br/>
## Atomic Test #1 - Map admin share
Connecting To Remote Shares
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Examples C$, IPC$, Admin$ | String | C$|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
<br/>
<br/>
## Atomic Test #2 - Map Admin Share PowerShell
Map Admin share utilizing PowerShell
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Examples C$, IPC$, Admin$ | String | C$|
| computer_name | Target Computer Name | String | Target|
| map_name | Mapped Drive Letter | String | g|
#### Run it with `powershell`!
```
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink