CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
Last updated
Overview
Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
- An adversary purchases breached Windows administrator credentials from the dark web.
- An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
- An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.
- Step 2Experiment