Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

Attack Execution Flow

4

1

Step 1

Explore

[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
An adversary purchases breached Windows administrator credentials from the dark web.
An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.

Attack Techniques

An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
An adversary purchases breached Windows administrator credentials from the dark web.
IT: Un avversario ottiene l'accesso a un sistema/file di dominio Windows e esfiltra gli hash delle password degli amministratori Windows.
An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
IT: Un avversario ottiene l'accesso a un sistema/file di dominio Windows e esfiltra gli hash delle password degli amministratori Windows.
An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
IT: Un avversario ottiene l'accesso a un sistema/file di dominio Windows e esfiltra gli hash delle password degli amministratori Windows.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.
IT: Un avversario ottiene l'accesso a un sistema/file di dominio Windows e esfiltra gli hash delle password degli amministratori Windows.

2

Step 2

Experiment

[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access.
Manually or automatically enter each administrator credential through the target's interface.

Attack Techniques

Manually or automatically enter each administrator credential through the target's interface.

3

Step 3

Exploit

[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.

4

Step 4

Exploit

[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares.

CAPEC 561 Windows Admin Shares with Stolen Credentials

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Step 4

Mitigations

Deny Remote Use Of Local Admin Credentials To Log Into Domain Systems.

Do Not Allow Accounts To Be A Local Administrator On More Than One System.

Do Not Reuse Local Administrator Account Credentials Across Systems.

Consequences

Security Scopes Affected

Potential Impacts

Indicators

Relationships

Parent CAPECs

Related ATT&CK Techniques

SMB/Windows Admin Shares

Resources Required

CAPEC 561 Windows Admin Shares with Stolen Credentials

Description

Attack Execution Flow

Step 1

Attack Techniques

Step 2

Attack Techniques

Step 3

Step 4

Mitigations

Deny Remote Use Of Local Admin Credentials To Log Into Domain Systems.

Do Not Allow Accounts To Be A Local Administrator On More Than One System.

Do Not Reuse Local Administrator Account Credentials Across Systems.

Consequences

Security Scopes Affected

Potential Impacts

Indicators

Relationships

Parent CAPECs

Related ATT&CK Techniques

SMB/Windows Admin Shares

Resources Required

Iscriviti alla newsletter