<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Remote Services: SMB/Windows Admin Shares, Sub-technique T1021.002 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1021">Remote Services</a></li> <li class="breadcrumb-item">SMB/Windows Admin Shares</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Remote Services:</span> SMB/Windows Admin Shares </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Remote Services (8)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1021/001/" class="subtechnique-table-item" data-subtechnique_id="T1021.001"> T1021.001 </a> </td> <td> <a href="/techniques/T1021/001/" class="subtechnique-table-item" data-subtechnique_id="T1021.001"> Remote Desktop Protocol </a> </td> </tr> <tr> <td class="active"> T1021.002 </td> <td class="active"> SMB/Windows Admin Shares </td> </tr> <tr> <td> <a href="/techniques/T1021/003/" class="subtechnique-table-item" data-subtechnique_id="T1021.003"> T1021.003 </a> </td> <td> <a href="/techniques/T1021/003/" class="subtechnique-table-item" data-subtechnique_id="T1021.003"> Distributed Component Object Model </a> </td> </tr> <tr> <td> <a href="/techniques/T1021/004/" class="subtechnique-table-item" data-subtechnique_id="T1021.004"> T1021.004 </a> </td> <td> <a href="/techniques/T1021/004/" class="subtechnique-table-item" data-subtechnique_id="T1021.004"> SSH </a> </td> </tr> <tr> <td> <a href="/techniques/T1021/005/" class="subtechnique-table-item" data-subtechnique_id="T1021.005"> T1021.005 </a> </td> <td> <a href="/techniques/T1021/005/" class="subtechnique-table-item" data-subtechnique_id="T1021.005"> VNC </a> </td> </tr> <tr> <td> <a href="/techniques/T1021/006/" class="subtechnique-table-item" data-subtechnique_id="T1021.006"> T1021.006 </a> </td> <td> <a href="/techniques/T1021/006/" class="subtechnique-table-item" data-subtechnique_id="T1021.006"> Windows Remote Management </a> </td> </tr> <tr> <td> <a href="/techniques/T1021/007/" class="subtechnique-table-item" data-subtechnique_id="T1021.007"> T1021.007 </a> </td> <td> <a href="/techniques/T1021/007/" class="subtechnique-table-item" data-subtechnique_id="T1021.007"> Cloud Services </a> </td> </tr> <tr> <td> <a href="/techniques/T1021/008/" class="subtechnique-table-item" data-subtechnique_id="T1021.008"> T1021.008 </a> </td> <td> <a href="/techniques/T1021/008/" class="subtechnique-table-item" data-subtechnique_id="T1021.008"> Direct Cloud VM Connections </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may use <a href="/techniques/T1078">Valid Accounts</a> to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.</p><p>SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.</p><p>Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>. Adversaries may use this technique in conjunction with administrator-level <a href="/techniques/T1078">Valid Accounts</a> to remotely access a networked system over SMB,<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017."data-reference="Wikipedia Server Message Block">^{<a href="https://en.wikipedia.org/wiki/Server_Message_Block" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> to interact with systems using remote procedure calls (RPCs),<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016."data-reference="TechNet RPC">^{<a href="https://technet.microsoft.com/en-us/library/cc787851.aspx" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are <a href="/techniques/T1053">Scheduled Task/Job</a>, <a href="/techniques/T1569/002">Service Execution</a>, and <a href="/techniques/T1047">Windows Management Instrumentation</a>. Adversaries can also use NTLM hashes to access administrator shares on systems with <a href="/techniques/T1550/002">Pass the Hash</a> and certain configuration and patch levels.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014."data-reference="Microsoft Admin Shares">^{<a href="http://support.microsoft.com/kb/314984" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1021.002 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/techniques/T1021">T1021</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0008">Lateral Movement</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the (sub-)technique to work">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">System Requirements:&nbsp;</span>SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system or default system admin account. </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>11 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>28 July 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1021.002" href="/versions/v16/techniques/T1021/002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1021.002" href="/versions/v16/techniques/T1021/002/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0025"> C0025 </a> </td> <td> <a href="/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/groups/G0034">Sandworm Team</a> utilized <code>net use</code> to connect to network shares.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0504"> S0504 </a> </td> <td> <a href="/software/S0504"> Anchor </a> </td> <td> <p><a href="/software/S0504">Anchor</a> can support windows execution via SMB shares.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020."data-reference="Medium Anchor DNS July 2020">^{<a href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <p><a href="/groups/G0007">APT28</a> has mapped network drives using <a href="/software/S0039">Net</a> and administrator credentials.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <p><a href="/groups/G0022">APT3</a> will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <p><a href="/groups/G0050">APT32</a> used <a href="/software/S0039">Net</a> to use Windows' hidden network shares to copy their tools to remote machines for execution.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <p><a href="/groups/G0087">APT39</a> has used SMB for lateral movement.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."data-reference="Symantec Chafer February 2018">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <p><a href="/groups/G0096">APT41</a> has transferred implant files using Windows Admin Shares and the Server Message Block (SMB) protocol, then executes files through Windows Management Instrumentation (WMI).<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024."data-reference="apt41_dcsocytec_dec2022">^{<a href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0143"> G0143 </a> </td> <td> <a href="/groups/G0143"> Aquatic Panda </a> </td> <td> <p><a href="/groups/G0143">Aquatic Panda</a> used remote shares to enable lateral movement in victim environments.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024."data-reference="Crowdstrike HuntReport 2022">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> <p><a href="/software/S0089">BlackEnergy</a> has run a plug-in on a victim to spread through the local network by using <a href="/software/S0029">PsExec</a> and accessing admin shares.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Nov 2014">^{<a href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0108"> G0108 </a> </td> <td> <a href="/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/groups/G0108">Blue Mockingbird</a> has used Windows Explorer to manually copy malicious files to remote hosts over SMB.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020">^{<a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1063"> S1063 </a> </td> <td> <a href="/software/S1063"> Brute Ratel C4 </a> </td> <td> <p><a href="/software/S1063">Brute Ratel C4</a> has the ability to use SMB to pivot in compromised networks.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022">^{<a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023."data-reference="MDSec Brute Ratel August 2022">^{<a href="https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023."data-reference="Dark Vortex Brute Ratel C4">^{<a href="https://bruteratel.com/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <p><a href="/groups/G0114">Chimera</a> has used Windows admin shares to move laterally.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.."data-reference="Cycraft Chimera April 2020">^{<a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021">^{<a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1021"> G1021 </a> </td> <td> <a href="/groups/G1021"> Cinnamon Tempest </a> </td> <td> <p><a href="/groups/G1021">Cinnamon Tempest</a> has used SMBexec for lateral movement.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023."data-reference="Sygnia Emperor Dragonfly October 2022">^{<a href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0154"> S0154 </a> </td> <td> <a href="/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/software/S0154">Cobalt Strike</a> can use Window admin shares (C$ and ADMIN$) for lateral movement.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017."data-reference="Cobalt Strike TTPs Dec 2017">^{<a href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023."data-reference="Trend Micro Black Basta October 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0608"> S0608 </a> </td> <td> <a href="/software/S0608"> Conficker </a> </td> <td> <p><a href="/software/S0608">Conficker</a> variants spread through NetBIOS share propagation.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021."data-reference="SANS Conficker">^{<a href="https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0575"> S0575 </a> </td> <td> <a href="/software/S0575"> Conti </a> </td> <td> <p><a href="/software/S0575">Conti</a> can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021."data-reference="Cybereason Conti Jan 2021">^{<a href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021."data-reference="CarbonBlack Conti July 2020">^{<a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a>, threat actors moved laterally using compromised credentials to connect to internal Windows systems with SMB.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024."data-reference="Volexity Ivanti Zero-Day Exploitation January 2024">^{<a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0009"> G0009 </a> </td> <td> <a href="/groups/G0009"> Deep Panda </a> </td> <td> <p><a href="/groups/G0009">Deep Panda</a> uses net.exe to connect to network shares using <code>net use</code> commands with compromised credentials.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014."data-reference="Alperovitch 2014">^{<a href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0659"> S0659 </a> </td> <td> <a href="/software/S0659"> Diavol </a> </td> <td> <p><a href="/software/S0659">Diavol</a> can spread throughout a network via SMB prior to encryption.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021."data-reference="Fortinet Diavol July 2021">^{<a href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0038"> S0038 </a> </td> <td> <a href="/software/S0038"> Duqu </a> </td> <td> <p>Adversaries can instruct <a href="/software/S0038">Duqu</a> to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015."data-reference="Symantec W32.Duqu">^{<a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0367"> S0367 </a> </td> <td> <a href="/software/S0367"> Emotet </a> </td> <td> <p><a href="/software/S0367">Emotet</a> has leveraged the Admin$, C$, and IPC$ shares for lateral movement. <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019."data-reference="Malwarebytes Emotet Dec 2017">^{<a href="https://support.malwarebytes.com/docs/DOC-2295" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023."data-reference="Binary Defense Emotes Wi-Fi Spreader">^{<a href="https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/groups/G1016">FIN13</a> has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022">^{<a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0061"> G0061 </a> </td> <td> <a href="/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/groups/G0061">FIN8</a> has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. <a href="/groups/G0061">FIN8</a> has also used smbexec from the <a href="/software/S0357">Impacket</a> suite for lateral movement.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0117"> G0117 </a> </td> <td> <a href="/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/groups/G0117">Fox Kitten</a> has used valid accounts to access SMB shares.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0698"> S0698 </a> </td> <td> <a href="/software/S0698"> HermeticWizard </a> </td> <td> <p><a href="/software/S0698">HermeticWizard</a> can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022">^{<a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0038"> C0038 </a> </td> <td> <a href="/campaigns/C0038"> HomeLand Justice </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors used SMB for lateral movement.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024."data-reference="CISA Iran Albanian Attacks September 2022">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/groups/G0004">Ke3chang</a> actors have been known to copy files to the network shares of other computers to move laterally.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION "KE3CHANG": Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014."data-reference="Mandiant Operation Ke3chang November 2014">^{<a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong">^{<a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0236"> S0236 </a> </td> <td> <a href="/software/S0236"> Kwampirs </a> </td> <td> <p><a href="/software/S0236">Kwampirs</a> copies itself over network shares to move laterally on a victim network.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018."data-reference="Symantec Orangeworm April 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/groups/G0032">Lazarus Group</a> malware SierraAlfa accesses the <code>ADMIN$</code> share via SMB to conduct lateral movement.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster">^{<a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016."data-reference="Novetta Blockbuster RATs">^{<a href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0532"> S0532 </a> </td> <td> <a href="/software/S0532"> Lucifer </a> </td> <td> <p><a href="/software/S0532">Lucifer</a> can infect victims by brute forcing SMB.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1009"> G1009 </a> </td> <td> <a href="/groups/G1009"> Moses Staff </a> </td> <td> <p><a href="/groups/G1009">Moses Staff</a> has used batch scripts that can enable SMB on a compromised host.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021">^{<a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0039"> S0039 </a> </td> <td> <a href="/software/S0039"> Net </a> </td> <td> <p>Lateral movement can be done with <a href="/software/S0039">Net</a> through <code>net use</code> commands to connect to the on remote systems.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999">^{<a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0056"> S0056 </a> </td> <td> <a href="/software/S0056"> Net Crawler </a> </td> <td> <p><a href="/software/S0056">Net Crawler</a> uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017."data-reference="Cylance Cleaver">^{<a href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0368"> S0368 </a> </td> <td> <a href="/software/S0368"> NotPetya </a> </td> <td> <p><a href="/software/S0368">NotPetya</a> can use <a href="/software/S0029">PsExec</a>, which interacts with the <code>ADMIN$</code> network share to execute commands on remote systems.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019."data-reference="Talos Nyetya June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015."data-reference="PsExec Russinovich">^{<a href="http://windowsitpro.com/systems-management/psexec" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0365"> S0365 </a> </td> <td> <a href="/software/S0365"> Olympic Destroyer </a> </td> <td> <p><a href="/software/S0365">Olympic Destroyer</a> uses <a href="/software/S0029">PsExec</a> to interact with the <code>ADMIN$</code> network share to execute commands on remote systems.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015."data-reference="PsExec Russinovich">^{<a href="http://windowsitpro.com/systems-management/psexec" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors used <a href="/software/S0357">Impacket</a>'s smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0071"> G0071 </a> </td> <td> <a href="/groups/G0071"> Orangeworm </a> </td> <td> <p><a href="/groups/G0071">Orangeworm</a> has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018."data-reference="Symantec Orangeworm April 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1040"> G1040 </a> </td> <td> <a href="/groups/G1040"> Play </a> </td> <td> <p><a href="/groups/G1040">Play</a> has used <a href="/software/S0154">Cobalt Strike</a> to move laterally via SMB.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024."data-reference="Trend Micro Ransomware Spotlight Play July 2023">^{<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0029"> S0029 </a> </td> <td> <a href="/software/S0029"> PsExec </a> </td> <td> <p><a href="/software/S0029">PsExec</a>, a tool that has been used by adversaries, writes programs to the <code>ADMIN$</code> network share to execute commands on remote systems.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015."data-reference="PsExec Russinovich">^{<a href="http://windowsitpro.com/systems-management/psexec" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0019"> S0019 </a> </td> <td> <a href="/software/S0019"> Regin </a> </td> <td> <p>The <a href="/software/S0019">Regin</a> malware platform can use Windows admin shares to move laterally.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014."data-reference="Kaspersky Regin">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1073"> S1073 </a> </td> <td> <a href="/software/S1073"> Royal </a> </td> <td> <p><a href="/software/S1073">Royal</a> can use SMB to connect to move laterally.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023."data-reference="Cybereason Royal December 2022">^{<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <p><a href="/software/S0446">Ryuk</a> has used the C$ network share for lateral movement.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021."data-reference="Bleeping Computer - Ryuk WoL">^{<a href="https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/groups/G0034">Sandworm Team</a> has copied payloads to the <code>ADMIN$</code> share of remote systems and run <code>net use</code> to connect to network shares.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0140"> S0140 </a> </td> <td> <a href="/software/S0140"> Shamoon </a> </td> <td> <p><a href="/software/S0140">Shamoon</a> accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a <a href="/techniques/T1053">Scheduled Task/Job</a> to execute the malware.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017."data-reference="FireEye Shamoon Nov 2016">^{<a href="https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used administrative accounts to connect over SMB to targeted users.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022">^{<a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0603"> S0603 </a> </td> <td> <a href="/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/software/S0603">Stuxnet</a> propagates to available network shares.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011">^{<a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0028"> G0028 </a> </td> <td> <a href="/groups/G0028"> Threat Group-1314 </a> </td> <td> <p><a href="/groups/G0028">Threat Group-1314</a> actors mapped network drives using <code>net use</code>.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016."data-reference="Dell TG-1314">^{<a href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1022"> G1022 </a> </td> <td> <a href="/groups/G1022"> ToddyCat </a> </td> <td> <p><a href="/groups/G1022">ToddyCat</a> has used locally mounted network shares for lateral movement through targated environments.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <p><a href="/groups/G0010">Turla</a> used <code>net use</code> commands to connect to lateral systems within a network.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014."data-reference="Kaspersky Turla">^{<a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/groups/G0102">Wizard Spider</a> has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020."data-reference="DFIR Ryuk 2 Hour Speed Run November 2020">^{<a href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020">^{<a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0672"> S0672 </a> </td> <td> <a href="/software/S0672"> Zox </a> </td> <td> <p><a href="/software/S0672">Zox</a> has the ability to use SMB for communication.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom">^{<a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0350"> S0350 </a> </td> <td> <a href="/software/S0350"> zwShell </a> </td> <td> <p><a href="/software/S0350">zwShell</a> has been copied over network shares to move laterally.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1037"> M1037 </a> </td> <td> <a href="/mitigations/M1037"> Filter Network Traffic </a> </td> <td> <p>Consider using the host firewall to restrict file sharing communications such as SMB. <span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020."data-reference="Microsoft Preventing SMB">^{<a href="https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/mitigations/M1035"> M1035 </a> </td> <td> <a href="/mitigations/M1035"> Limit Access to Resource Over Network </a> </td> <td> <p>Consider disabling Windows administrative shares.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1027"> M1027 </a> </td> <td> <a href="/mitigations/M1027"> Password Policies </a> </td> <td> <p>Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1026"> M1026 </a> </td> <td> <a href="/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that connect to remote shares, such as <a href="/software/S0039">Net</a>, on the command-line interface and Discovery techniques that could be used to find remotely accessible systems.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019."data-reference="Medium Detecting WMI Persistence">^{<a href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p><p>Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential connections and writing to remote shares. </p> </td> </tr> <tr class="datasource" id="uses-DS0028"> <td> <a href="/datasources/DS0028">DS0028</a> </td> <td class="nowrap"> <a href="/datasources/DS0028">Logon Session</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0028/#Logon%20Session%20Creation">Logon Session Creation</a> </td> <td> <p>Monitor for logon behavior (ex: EID 4624 Logon Type 3) using <a href="/techniques/T1078">Valid Accounts</a> to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. Ensure that proper logging of accounts used to log into systems is turned on and centrally collected. Windows logging is able to collect success/failure for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. <span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016."data-reference="Lateral Movement Payne">^{<a href="https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016."data-reference="Windows Event Forwarding Payne">^{<a href="https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr class="datasource" id="uses-DS0033"> <td> <a href="/datasources/DS0033">DS0033</a> </td> <td class="nowrap"> <a href="/datasources/DS0033">Network Share</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0033/#Network%20Share%20Access">Network Share Access</a> </td> <td> <p>Monitor interactions with network shares, such as reads or file transfers, using Server Message Block (SMB).</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a> </td> <td> <p>Monitor for newly constructed network connections (typically over ports 139 or 445), especially those that are sent or received by abnormal or untrusted hosts. Correlate these network connections with remote login events and associated SMB-related activity such as file transfers and remote process execution.</p><p>Note: Event ID is for Zeek but can also be implemented in other Network Analysis Frameworks by parsing &amp; decoding captured SMB2 network traffic. Preference would be to detect smb2_write_response event (instead of smb2_write_request), because it would confirm the file was actually written to the remote destination. Unfortunately, Bro/Zeek does not have an event for that SMB message-type yet. From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.</p><p>Analytic 1 and 2 are very similar, with the key difference being that Implementation 2 is intended to capture multiple attempts at lateral movement originating from the same host within a short time period (5 minutes).</p><ul><li><p>smb2_write_request, smb1_write_andx_response is indication of an SMB file write to a Windows Admin File Share: ADMIN$ or C$</p></li><li><p>smb2_tree_connect_request, smb1_tree_connect_andx_request is observed originating from the same host, regardless of write-attempts and regardless of whether or not any connection is successful —just connection attempts— within a specified period of time (REPEATS 5 TIMES WITHIN 5 MINUTES FROM SAME src_ip).</p></li></ul><p>From a network traffic capture standpoint, it’s important to capture the right traffic for this type of detection to function (e.g., all endpoint to endpoint if possible or workstation to server and workstation to workstation). As such, it is helpful to have a centralized server area where it is possible to monitor communications between servers and endpoints.The Service Control Manager (SCM) can be used to copy a file to the ADMIN$ share and execute it as a service. This can be detected by looking for incoming RPC network connections to the Service Control Manager, followed by services.exe spawning a child process.</p><p>Analytic 1 - Basic</p><p><code>sourcetype="Zeek:SMB_Files" EventCode IN ("smb2_write_request", "smb1_write_andx_response", "smb2_tree_connect_request", "smb1_tree_connect_andx_request") AND (Path="ADMIN$" OR Path="C$")</code></p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon SMB data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on SMB network flows.</p><p>Notes:</p><ul><li>The logic for Implementation 1 is based around detecting on SMB write requests, which are often used by adversaries to move laterally to another host. Unlike SMB Reads, SMB Write requests typically require an additional level of access, resulting in less activity. Focusing on SMB Write activity narrows the field to looking at techniques associated with actively changing remote hosts, instead of passively reading files.</li><li>The logic for Implementation 2 is based around detection of new processes that were created from a file written to an SMB share. First, a file is remotely written to a host via an SMB share; then, a variety of Execution techniques can be used to remotely establish execution of the file or script. To detect this behavior, look for files that are written to a host over SMB and then later run directly as a process or in the command line arguments. SMB File Writes and Remote Execution may happen normally in an environment, but the combination of the two behaviors is less frequent and more likely to indicate adversarial activity.</li></ul><p>Analytic 1 - SMB Write</p><p><code>sourcetype="Zeek:SMB_Files" port="445" AND protocol="smb.write"</code></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for the creation of WMI Win32_Process class and method Create to interact with a remote network share using Server Message Block (SMB). Relevant indicators detected by Bro/Zeek is IWbemServices::ExecMethod or IWbemServices::ExecMethodAsync. One thing to notice is that when the Create method is used on a remote system, the method is run under a host process named "Wmiprvse.exe".</p><p>The process WmiprvSE.exe is what spawns the process defined in the CommandLine parameter of the Create method. Therefore, the new process created remotely will have Wmiprvse.exe as a parent. WmiprvSE.exe is a DCOM server and it is spawned underneath the DCOM service host svchost.exe with the following parameters C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p. From a logon session perspective, on the target, WmiprvSE.exe is spawned in a different logon session by the DCOM service host. However, whatever is executed by WmiprvSE.exe occurs on the new network type (3) logon session created by the user that authenticated from the network.</p><p>Analytic 1 - Basic</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ParentImage="*wmiprvse.exe" AND TargetLogonID="0x3e7"</code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://en.wikipedia.org/wiki/Server_Message_Block" target="_blank"> Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://technet.microsoft.com/en-us/library/cc787851.aspx" target="_blank"> Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="http://support.microsoft.com/kb/314984" target="_blank"> Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank"> Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank"> Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank"> DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank"> CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/" target="_blank"> Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://bruteratel.com/" target="_blank"> Dark Vortex. (n.d.). A Customized Command and Control Center for Red Team and Adversary Simulation. Retrieved February 7, 2023. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank"> Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank"> Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank"> Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" target="_blank"> Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank"> Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank"> Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank"> Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank"> Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://support.malwarebytes.com/docs/DOC-2295" target="_blank"> Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/" target="_blank"> Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank"> ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="37.0"> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank"> CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank"> Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank"> Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank"> Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank"> Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank"> US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="http://windowsitpro.com/systems-management/psexec" target="_blank"> Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank"> Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank"> Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" target="_blank"> Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank"> MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" target="_blank"> FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank"> CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank"> Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank"> The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections" target="_blank"> Microsoft. (2020, March 10). Preventing SMB traffic from lateral connections and entering or leaving the network. Retrieved June 1, 2020. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96" target="_blank"> French, D. (2018, October 9). Detecting & Removing an Attacker’s WMI Persistence. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts" target="_blank"> Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem" target="_blank"> Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>