| Name |
Windows Admin Shares with Stolen Credentials |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels. |
| Prerequisites |
The system/application is connected to the Windows domain. The target administrative share allows remote use of local admin credentials to log into domain systems. The adversary possesses a list of known Windows administrator credentials that exist on the target domain. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares. |
- An adversary purchases breached Windows administrator credentials from the dark web.
- An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
- An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.
|
| 2 |
Experiment |
[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access. |
- Manually or automatically enter each administrator credential through the target's interface.
|
| 3 |
Exploit |
[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain. |
|
| 4 |
Exploit |
[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares. |
|
|
| Solutions | Do not reuse local administrator account credentials across systems. Deny remote use of local admin credentials to log into domain systems. Do not allow accounts to be a local administrator on more than one system. |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-262 |
Not Using Password Aging |
| CWE-263 |
Password Aging with Long Expiration |
| CWE-294 |
Authentication Bypass by Capture-replay |
| CWE-308 |
Use of Single-factor Authentication |
| CWE-309 |
Use of Password System for Primary Authentication |
| CWE-521 |
Weak Password Requirements |
| CWE-522 |
Insufficiently Protected Credentials |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content. |
| CAPEC-165 |
An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined. |
| CAPEC-545 |
An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location. |
| CAPEC-549 |
An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others. |
| CAPEC-653 |
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data. Utilizing known Windows credentials, an adversary can obtain sensitive data from administrator shares, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more. Ultimately, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application. |
|
| Taxonomy: ATTACK |
|
Entry ID
|
Entry Name
|
| 1021.002 |
Remote Services:SMB/Windows Admin Shares |
|