Adversaries may leverage local admin shares to establish persistent access and move laterally within a network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential post-exploitation activity and mitigate lateral movement risks.
Detection Rule
title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: test
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
author: frack113
date: 2022-01-01
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName contains "\\\\127.0.0" and TargetFileName contains "\\ADMIN$\\"Scenario: Scheduled Job to Back Up Admin Shares
Description: A legitimate scheduled job is configured to back up local admin shares (e.g., C$\Windows) to a remote server.
Filter/Exclusion: process.name == "backup.exe" or process.name == "wbadmin.exe"
Scenario: System Update via SMB
Description: Windows Update or Microsoft Endpoint Manager (MEM) pushes updates via SMB to a local admin share.
Filter/Exclusion: process.name == "wuauclt.exe" or process.name == "setup.exe"
Scenario: Admin Task to Share Files with Remote Systems
Description: An administrator uses PowerShell or a script to share a folder (e.g., C$\Temp) with a remote system for file transfer.
Filter/Exclusion: process.name == "powershell.exe" and process.args contains "New-SmbShare"
Scenario: Antivirus or EDR Tool Accessing Admin Shares
Description: A security tool (e.g., CrowdStrike, SentinelOne) accesses admin shares to perform system scans or data collection.
Filter/Exclusion: process.name contains "crowdstrike" or process.name contains "sentinelone"
Scenario: User-Initiated File Transfer via SMB
Description: A user shares a folder (e.g., D$\Projects) with a remote machine for collaboration, using tools like smbclient or net use.
Filter/Exclusion: process.name == "smbclient" or process.name == "net.exe" and user.name != "admin"