rules/windows/builtin/win_admin_share_access.yml

title: Access to ADMIN$ Share
id: 098d7118-55bc-4912-a836-dc6483a8d150
description: Detects access to $ADMIN share
tags:
    - attack.lateral_movement
    - attack.t1077
status: experimental
author: Florian Roth
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5140
        ShareName: Admin$
    filter:
        SubjectUserName: '*$'
    condition: selection and not filter
falsepositives: 
    - Legitimate administrative activity
level: low
Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00			`title: Access to ADMIN$ Share`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 098d7118-55bc-4912-a836-dc6483a8d150`
Rule: Fixed missing description 2018-06-08 11:38:27 +02:00			`description: Detects access to $ADMIN share`
Add tags to windows builtin rules 2018-07-24 07:50:32 +02:00			`tags:`
			`- attack.lateral_movement`
			`- attack.t1077`
Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00			`status: experimental`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 09:00:06 +03:00			`definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'`
Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00			`detection:`
			`selection:`
Bugfixes and improvements 2017-03-21 10:24:20 +01:00			`EventID: 5140`
			`ShareName: Admin$`
Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00			`filter:`
Various rule fixes 2018-03-26 22:53:38 +02:00			`SubjectUserName: '*$'`
Rule: Access to ADMIN$ share 2017-03-14 14:53:03 +01:00			`condition: selection and not filter`
			`falsepositives:`
			`- Legitimate administrative activity`
			`level: low`