Remote Services: SMB/Windows Admin Shares, Sub-technique T1021.002 - Enterprise (original) (raw)
2016 Ukraine Electric Power Attack
During the 2016 Ukraine Electric Power Attack, Sandworm Team utilized net use to connect to network shares.[4]
Anchor can support windows execution via SMB shares.[5]
APT28 has mapped network drives using Net and administrator credentials.[6]
APT28 Nearest Neighbor Campaign
During APT28 Nearest Neighbor Campaign, APT28 leveraged SMB to transfer files and move laterally.[7]
APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[8]
APT32 used Net to use Windows' hidden network shares to copy their tools to remote machines for execution.[9]
APT39 has used SMB for lateral movement.[10]
APT41 has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).[11][12]
Aquatic Panda used remote shares to enable lateral movement in victim environments.[13]
BlackByte used SMB file shares to distribute payloads throughout victim networks, including BlackByte ransomware variants during wormable operations.[14][15][16]
BlackByte Ransomware uses mapped shared folders to transfer ransomware payloads via SMB.[17]
BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.[18]
Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.[19]
Brute Ratel C4 has the ability to use SMB to pivot in compromised networks.[20][21][22]
Chimera has used Windows admin shares to move laterally.[23][24]
Cinnamon Tempest has used SMBexec for lateral movement.[25]
Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.[26][27]
Conficker variants spread through NetBIOS share propagation.[28]
Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.[29][30]
During Cutting Edge, threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.[31]
Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[32]
Diavol can spread throughout a network via SMB prior to encryption.[33]
Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.[34]
Emotet has leveraged the Admin$, C$, and IPC$ shares for lateral movement. [35][36]
FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.[37]
FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.[38][39]
Fox Kitten has used valid accounts to access SMB shares.[40]
HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.[41]
During HomeLand Justice, threat actors used SMB for lateral movement.[42][43]
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[44][45]
Kwampirs copies itself over network shares to move laterally on a victim network.[46]
Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.[47][48]
Leviathan Australian Intrusions
Leviathan used remote shares to move laterally through victim networks during Leviathan Australian Intrusions.[49]
LockBit 2.0 has the ability to move laterally via SMB.[50][51]
LockBit 3.0 can use SMB for lateral movement.[52]
Lucifer can infect victims by brute forcing SMB.[53]
MirrorFace has used SMB to copy malware between systems in compromised environments.[54][55]
Moses Staff has used batch scripts that can enable SMB on a compromised host.[56]
Lateral movement can be done with Net through net use commands to connect to the on remote systems.[57]
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[58]
NotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[59][60][61]
Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.[62][61]
During Operation MidnightEclipse, threat actors used SMB to pivot internally in victim networks.[63]
During Operation Wocao, threat actors used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.[64]
Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.[46]
Play has used Cobalt Strike to move laterally via SMB.[65]
PsExec, a tool that has been used by adversaries, writes programs to the ADMIN$ network share to execute commands on remote systems.[61]
Qilin can embed a copy of PsExec within its payload and place it in the %Temp% directory under a randomly generated filename.[66][67]
RansomHub can use credentials provided in its configuration to move laterally from the infected machine over SMBv2.[68]
reGeorg has the ability to tunnel SMB sessions.[69]
The Regin malware platform can use Windows admin shares to move laterally.[70]
Royal can use SMB to connect to move laterally.[71]
Ryuk has used the C$ network share for lateral movement.[72]
Sandworm Team has copied payloads to the ADMIN$ share of remote systems and run net use to connect to network shares.[4][73]
Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware.[74]
During the SolarWinds Compromise, APT29 used administrative accounts to connect over SMB to targeted users.[75]
Storm-1811 has attempted to move laterally in victim environments via SMB using Impacket.[76]
Stuxnet propagates to available network shares.[77]
Threat Group-1314 actors mapped network drives using net use.[78]
ToddyCat has used locally mounted network shares for lateral movement through targated environments.[79]
Turla used net use commands to connect to lateral systems within a network.[80]
Velvet Ant has transferred tools within victim environments using SMB.[81]
Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.[82][83]
Zox has the ability to use SMB for communication.[84]
zwShell has been copied over network shares to move laterally.[85]