Sponsored by
%22 id=%22PLIbC5HnolzLDgwRO21kM%22%3E%3Cpath style=%22stroke:none;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%232e3034;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(0, 0)%22 d=%22M-185.555-28.44v44.13H-178.595v-15.58c6.78.0 10.54.0 11.3.0 8.65000000000001.0 14.66-5.78 14.66-14.34.0-8.47-6.00999999999999-14.21-14.66-14.21-2.44000000000003.0-8.52000000000001.0-18.26.0zM-178.595-5.81V-22.24c6.34.0 9.85999999999999.0 10.57.0C-163.065-22.24-159.785-19.06-159.785-14.089999999999998c0 4.91-3.28 8.28-8.24000000000001 8.28-1.41.0-4.93000000000001.0-10.57.0zm37.84-5.14c0-1.17.0-7 0-17.49H-147.215v44.13H-140.755c0-11.01.0-17.13.0-18.35.0-5.06 3.15000000000001-8.38 7.97-8.38 4.74000000000001.0 7.78999999999999 3.32 7.78999999999999 8.38.0 1.22.0 7.34.0 18.35h6.56c0-11.56.0-17.98.0-19.26.0-7.56-5.19-12.66-12.43-12.66-4.33000000000001.0-7.84 1.91-9.89000000000002 5.28zm33.24-17.03c-2.5.0-4.14 1.55-4.14 3.82.0 2.23 1.64 3.83 4.14 3.83 2.42.0 4.15000000000001-1.6 4.15000000000001-3.83.0-2.27-1.73-3.82-4.15000000000001-3.82zm-3.27 12.29V15.69h6.50999999999999V-15.69zm13.84 8.88c0 7.38 7.47 8.79 12.2 9.47 3.55.64 6.7 1.19 6.7 4.42.0 2.6-2.65000000000001 4.33-6.29000000000001 4.33-3.87.0-6.69000000000001-1.96-6.78-4.97-.640000000000001.0-5.74000000000001.0-6.38000000000001.0.0500000000000114 5.79 5.42 9.84 12.98 9.84 7.51000000000001.0 12.89-3.92 12.89-9.56.0-7.56-7.92999999999999-8.88-12.39-9.7-3.59999999999999-.73-6.47000000000001-1.23-6.47000000000001-4.46.0-2.37 2.42000000000002-4.01 5.74000000000001-4.01C-81.145-11.45-78.645-9.54-78.505-6.759999999999999c.609999999999999.0 5.49.0 6.09999999999999.0.0-5.6-5.09999999999999-9.47-12.25-9.47-7.33.0-12.29 3.73-12.29 9.42zm38.38-4.14c0-1.17.0-7 0-17.49H-65.075v44.13h6.51c0-11.01.0-17.13.0-18.35.0-5.06 3.15-8.38 7.97-8.38 4.74000000000001.0 7.79 3.32 7.79 8.38.0 1.22.0 7.34.0 18.35h6.56c0-11.56.0-17.98.0-19.26.0-7.56-5.24-12.66-12.43-12.66-4.33000000000001.0-7.84 1.91-9.89000000000001 5.28zm74.77 6.37c4.78-1.77 7.65-5.87 7.65-11.33.0-7.65-5.46-12.53-14.07-12.53-1.32.0-7.94.0-19.85.0v44.13h6.97v-17.17c7.65.0 11.9.0 12.75.0 4.18.0 6.73 3.28 6.87 8.2.0899999999999999 3.59.27 7.42.59 8.97.73.0 6.52.0 7.24.0-.5-1.6-.73-5.74-.859999999999999-9.84-.179999999999996-5.6-2.82-9.11-7.29-10.43zm-19.3-2.5v-15.16c7.29.0 11.34.0 12.15.0 4.74.0 7.65 2.86 7.65 7.51.0 4.64-2.91 7.65-7.65 7.65-1.62.0-5.67.0-12.15.0zm49.08-9.15c-9.7.0-16.75 6.78-16.75 16.25.0 9.43 7.05 16.26 16.75 16.26 7.7.0 14.39-5.01 16.21-11.93-.660000000000004.0-5.98.0-6.65.0-1.22 3.73-5.05 6.56-9.51000000000001 6.56-5.42.0-9.56-3.65-10.38-8.88 2.68.0 24.18.0 26.86.0.0899999999999963-.64.18-1.32.18-1.96C62.605-9.45 55.685-16.23 45.985-16.23zM56.465-2.98c-2.07.0-18.57.0-20.63.0 1.18-4.74 5.1-7.93 10.2-7.93 5.19.0 9.33 3.28 10.43 7.93zm18.85-8.15c0-.309999999999999.0-1.82.0-4.56H68.80499999999999V28.44H75.315c0-10.36.0-16.11.0-17.26 2.73 3.19 6.74 5.1 11.47 5.1 8.88000000000001.0 15.3-6.83 15.3-16.26.0-9.47-6.41999999999999-16.25-15.3-16.25-4.73.0-8.74 1.91-11.47 5.1zm0 11.15c0-6.14 4.19-10.61 10.06-10.61 5.83.0 10.02 4.47 10.02 10.61.0 6.15-4.19 10.57-10.02 10.57-5.87.0-10.06-4.42-10.06-10.57zm31.1.0C106.415 9.45 113.515 16.28 123.165 16.28c9.7.0 16.72-6.83 16.72-16.26.0-9.47-7.02000000000001-16.25-16.72-16.25-9.65000000000001.0-16.75 6.78-16.75 16.25zm26.77.0c0 6.15-4.19 10.57-10.06 10.57-5.78.0-10.02-4.42-10.02-10.57.0-6.14 4.24-10.61 10.02-10.61 5.87.0 10.06 4.47 10.06 10.61zm19.4-15.71h-6.50999999999999V15.69H152.585c0-9.29.0-14.45.0-15.49.0-6.46 4.50999999999999-10.29 11.79-10.29.0-.640000000000001.0-5.77.0-6.42-5.55000000000001.0-9.69999999999999 3.01-11.79 8.15.0-.970000000000001.0-3.42.0-7.33zm32.97.0H178.445v-8.1h-6.55000000000001v8.1H166.105v5.51h5.78999999999999v25.87H178.445V-10.18H185.555z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3Cg transform=%22matrix(0.96 0 0 0.96 295.96 249.04)%22 id=%22MNUhndpMaDPhyc05So8Mq%22%3E%3Cpath style=%22stroke:%23000;stroke-opacity:0;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%23000;fill-opacity:0;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(-369.12, -320)%22 d=%22M183.56 291.56v44.13H190.52V320.11c6.78.0 10.54.0 11.3.0C210.47 320.11 216.48 314.33 216.48 305.77 216.48 297.3 210.47 291.56 201.82 291.56c-2.44.0-8.51999999999998.0-18.26.0zM190.52 314.19V297.76c6.34.0 9.85999999999999.0 10.57.0C206.05 297.76 209.33 300.94 209.33 305.91 209.33 310.82 206.05 314.19 201.09 314.19c-1.41.0-4.93000000000001.0-10.57.0zM228.36 309.05c0-1.17000000000002.0-7 0-17.49H221.9v44.13H228.36c0-11.01.0-17.13.0-18.35.0-5.06 3.14999999999998-8.38 7.97-8.38C241.07 308.96 244.12 312.28 244.12 317.34 244.12 318.56 244.12 324.68 244.12 335.69h6.56c0-11.56.0-17.98.0-19.26.0-7.56-5.19-12.66-12.43-12.66C233.92 303.77 230.41 305.68 228.36 309.05zm33.24-17.03C259.1 292.02 257.46 293.57 257.46 295.84 257.46 298.07 259.1 299.67 261.6 299.67 264.02 299.67 265.75 298.07 265.75 295.84 265.75 293.57 264.02 292.02 261.6 292.02zM258.33 304.31v31.38H264.84V304.31H258.33zm13.84 8.88C272.17 320.57 279.64 321.98 284.37 322.66 287.92 323.3 291.07 323.85 291.07 327.08 291.07 329.68 288.42 331.41 284.78 331.41 280.91 331.41 278.09 329.45 278 326.44 277.36 326.44 272.26 326.44 271.62 326.44 271.67 332.23 277.04 336.28 284.6 336.28 292.11 336.28 297.49 332.36 297.49 326.72 297.49 319.16 289.56 317.84 285.1 317.02 281.5 316.29 278.63 315.79 278.63 312.56 278.63 310.19 281.05 308.55 284.37 308.55 287.97 308.55 290.47 310.46 290.61 313.24 291.22 313.24 296.1 313.24 296.71 313.24 296.71 307.64 291.61 303.77 284.46 303.77 277.13 303.77 272.17 307.5 272.17 313.19zM310.55 309.05c0-1.17000000000002.0-7 0-17.49H304.04v44.13H310.55c0-11.01.0-17.13.0-18.35C310.55 312.28 313.7 308.96 318.52 308.96 323.26 308.96 326.31 312.28 326.31 317.34 326.31 318.56 326.31 324.68 326.31 335.69h6.56c0-11.56.0-17.98.0-19.26C332.87 308.87 327.63 303.77 320.44 303.77 316.11 303.77 312.6 305.68 310.55 309.05zm30.29 22.68C340.84 334.37 342.75 336.14 345.48 336.14 348.17 336.14 350.12 334.37 350.12 331.73 350.12 329.13 348.17 327.35 345.48 327.35 342.75 327.35 340.84 329.13 340.84 331.73zm44.48-16.31C390.1 313.65 392.97 309.55 392.97 304.09 392.97 296.44 387.51 291.56 378.9 291.56c-1.31999999999999.0-7.94.0-19.85.0v44.13H366.02V318.52c7.65000000000003.0 11.9.0 12.75.0C382.95 318.52 385.5 321.8 385.64 326.72 385.73 330.31 385.91 334.14 386.23 335.69 386.96 335.69 392.75 335.69 393.47 335.69 392.97 334.09 392.74 329.95 392.61 325.85 392.43 320.25 389.79 316.74 385.32 315.42zm-19.3-2.5V297.76c7.29000000000002.0 11.34.0 12.15.0C382.91 297.76 385.82 300.62 385.82 305.27 385.82 309.91 382.91 312.92 378.17 312.92c-1.62.0-5.67000000000002.0-12.15.0zM415.1 303.77C405.4 303.77 398.35 310.55 398.35 320.02 398.35 329.45 405.4 336.28 415.1 336.28 422.8 336.28 429.49 331.27 431.31 324.35 430.65 324.35 425.33 324.35 424.66 324.35 423.44 328.08 419.61 330.91 415.15 330.91 409.73 330.91 405.59 327.26 404.77 322.03c2.68000000000001.0 24.18.0 26.86.0C431.72 321.39 431.81 320.71 431.81 320.07 431.72 310.55 424.8 303.77 415.1 303.77zm10.48 13.25c-2.06999999999999.0-18.57.0-20.63.0C406.13 312.28 410.05 309.09 415.15 309.09 420.34 309.09 424.48 312.37 425.58 317.02zM444.43 308.87C444.43 308.56 444.43 307.05 444.43 304.31H437.92v44.13H444.43c0-10.36.0-16.11.0-17.26C447.16 334.37 451.17 336.28 455.9 336.28 464.78 336.28 471.2 329.45 471.2 320.02 471.2 310.55 464.78 303.77 455.9 303.77 451.17 303.77 447.16 305.68 444.43 308.87zm0 11.15C444.43 313.88 448.62 309.41 454.49 309.41 460.32 309.41 464.51 313.88 464.51 320.02 464.51 326.17 460.32 330.59 454.49 330.59 448.62 330.59 444.43 326.17 444.43 320.02zm31.1.0C475.53 329.45 482.63 336.28 492.28 336.28 501.98 336.28 509 329.45 509 320.02 509 310.55 501.98 303.77 492.28 303.77 482.63 303.77 475.53 310.55 475.53 320.02zm26.77.0C502.3 326.17 498.11 330.59 492.24 330.59 486.46 330.59 482.22 326.17 482.22 320.02 482.22 313.88 486.46 309.41 492.24 309.41 498.11 309.41 502.3 313.88 502.3 320.02zm19.4-15.71H515.19v31.38H521.7c0-9.29000000000002.0-14.45.0-15.49C521.7 313.74 526.21 309.91 533.49 309.91 533.49 309.27 533.49 304.14 533.49 303.49 527.94 303.49 523.79 306.5 521.7 311.64 521.7 310.67 521.7 308.22 521.7 304.31zM554.67 304.31H547.56V296.21H541.01V304.31H535.22V309.82H541.01v25.87H547.56V309.82H554.67V304.31z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3Cg transform=%22matrix(0.96 0 0 0.96 58.55 249.04)%22 id=%22F-0M290Y0gMncxY05saGG%22%3E%3Cpath style=%22stroke:none;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%23488eff;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(-120.57, -320)%22 d=%22M85.33 312.59c0 26.77 35.25 50.06 35.25 50.06s35.24-23.29 35.24-50.06c0-19.46-15.77-35.24-35.24-35.24-19.47.0-35.25 15.78-35.25 35.24zm7.86.0c0-15.13 12.26-27.39 27.39-27.39 15.13.0 27.39 12.26 27.39 27.39C147.97 327.72 135.71 339.98 120.58 339.98c-15.13.0-27.39-12.26-27.39-27.39z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3Cg transform=%22matrix(0.96 0 0 0.96 58.55 249.04)%22 id=%22zTIV-9JYW1F4X74H0pio1%22%3E%3Cpath style=%22stroke:%23000;stroke-opacity:0;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%23000;fill-opacity:0;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(-120.57, -320)%22 d=%22M85.33 312.59c0 26.77 35.25 50.06 35.25 50.06s35.24-23.29 35.24-50.06c0-19.46-15.77-35.24-35.24-35.24-19.47.0-35.25 15.78-35.25 35.24zm7.86.0c0-15.13 12.26-27.39 27.39-27.39 15.13.0 27.39 12.26 27.39 27.39C147.97 327.72 135.71 339.98 120.58 339.98c-15.13.0-27.39-12.26-27.39-27.39z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3Cg transform=%22matrix(0.96 0 0 0.96 58.45 242.65)%22 id=%22ZdFXrE9kAZ6r4kWv2PTSo%22%3E%3Cpath style=%22stroke:none;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%23488eff;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(-120.47, -313.3)%22 d=%22M127.48 308.6C126.31 309.77 116.94 319.14 115.76 320.32 113.85 322.23 110.74 322.23 108.83 320.32 106.91 318.4 106.91 315.29 108.83 313.38 108.9 313.46 109.29 313.84 109.98 314.53L110.56 307.02C108.13 309.45 106.78 310.8 106.51 311.07 103.32 314.26 103.32 319.43 106.51 322.63 109.71 325.82 114.88 325.82 118.08 322.63 119.25 321.46 128.63 312.09 129.8 310.91 131.62 311.78 133.87 311.47 135.38 309.96 137.3 308.04 137.3 304.93 135.38 303.02 133.47 301.1 130.36 301.1 128.44 303.02 126.93 304.53 126.61 306.78 127.48 308.6zM130.76 307.64C130.12 307 130.12 305.97 130.76 305.33 131.39 304.69 132.43 304.69 133.07 305.33 133.71 305.97 133.71 307 133.07 307.64 132.43 308.28 131.39 308.28 130.76 307.64z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3Cg transform=%22matrix(0.96 0 0 0.96 58.45 242.65)%22 id=%22MQT3WOnxidCje1U1oBPuR%22%3E%3Cpath style=%22stroke:%23000;stroke-opacity:0;stroke-width:1;stroke-dasharray:none;stroke-linecap:butt;stroke-dashoffset:0;stroke-linejoin:miter;stroke-miterlimit:4;fill:%23000;fill-opacity:0;fill-rule:nonzero;opacity:1%22 vector-effect=%22non-scaling-stroke%22 transform=%22translate(-120.47, -313.3)%22 d=%22M127.48 308.6C126.31 309.77 116.94 319.14 115.76 320.32 113.85 322.23 110.74 322.23 108.83 320.32 106.91 318.4 106.91 315.29 108.83 313.38 108.9 313.46 109.29 313.84 109.98 314.53L110.56 307.02C108.13 309.45 106.78 310.8 106.51 311.07 103.32 314.26 103.32 319.43 106.51 322.63 109.71 325.82 114.88 325.82 118.08 322.63 119.25 321.46 128.63 312.09 129.8 310.91 131.62 311.78 133.87 311.47 135.38 309.96 137.3 308.04 137.3 304.93 135.38 303.02 133.47 301.1 130.36 301.1 128.44 303.02 126.93 304.53 126.61 306.78 127.48 308.6zM130.76 307.64C130.12 307 130.12 305.97 130.76 305.33 131.39 304.69 132.43 304.69 133.07 305.33 133.71 305.97 133.71 307 133.07 307.64 132.43 308.28 131.39 308.28 130.76 307.64z%22 stroke-linecap=%22round%22/%3E%3C/g%3E%3C/svg%3E)
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: experimental
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
date: 2022/01/01
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.lateral_movement
- attack.t1546.002