MITRE ATT&CK

Windows Admin Shares (e.g., C$, ADMIN$, IPC$) are built-in network shares that allow administrators to remotely manage systems via the SMB protocol. Although these shares are enabled by default for legitimate administrative tasks, adversaries abuse them to move laterally, stage payloads, and execute remote commands.

How Attackers Use It

• File Transfer & Remote Execution:

  Adversaries use administrative accounts to map remote admin shares using built-in tools (e.g., the NET command) to transfer binaries to target systems. They then execute these binaries using remote execution methods like

  • PsExec
  • PowerShell Remoting
  • Remote Scheduled Tasks
  • Remote Service creation

  

       This image shows `services.exe` executing `b17c5d9.exe` from the `ADMIN$` share via SMB
  

• Legitimate-Looking Activity:

  Since Windows admin shares are a standard feature, the mapping and file access over these shares often blend in with normal administrative activity, helping attackers avoid immediate detection.

• Automated Share Discovery:

  Tools such as ShareFinder can be used by attackers to enumerate available shares and identify targets for lateral movement.

Detection

⭐ Important Windows Event Logs

• Event ID 4688: On source systems, records process creation events such as the execution of net.exe or net1.exe when mapping admin shares.

• Event ID 4648: Captures attempts to use explicit credentials, which is often seen when mapping shares with administrative privileges.

• Event ID 4624 (Logon Type 3): On target systems, indicates successful network logons accessing shared resources.

• Event IDs 5140 & 5145:

  • 5140: Logs when a network share object is accessed, revealing which share

  (e.g., ADMIN$, C$) was mapped.

  • 5145: Provides details about the specific files accessed within the share.

  

⭐ Important Sysmon Event IDs

• Event ID 1 (Process Creation): Can capture the execution of net.exe and similar utilities used in the mapping process.