Writing Local Admin Share

level
status experimental

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Known false-positives

  • Unknown

References

Raw rule (edit)

title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: experimental
description: | 
  Aversaries may use to interact with a remote network share using Server Message Block (SMB).
  This technique is used by post-exploitation frameworks.
author: frack113
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
date: 2022/01/01
logsource:
  product: windows
  category: file_event
detection:
  selection:
    TargetFilename|contains|all:
        - '\\127.0.0'
        - '\ADMIN$\'
  condition: selection 
falsepositives:
  - Unknown
level: medium
tags:
  - attack.lateral_movement
  - attack.t1546.002

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.