|
Naziv
|
Windows Admin Shares with Stolen Credentials
|
|
Sažetak
|
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain. Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.
|
|
Preduvjeti
|
The system/application is connected to the Windows domain.|The target administrative share allows remote use of local admin credentials to log into domain systems.|The adversary possesses a list of known Windows administrator credentials that exist on the target domain.
|
|
Rješenja
|
['Do not reuse local administrator account credentials across systems.', 'Deny remote use of local admin credentials to log into domain systems.', 'Do not allow accounts to be a local administrator on more than one system.']
|
