Detect SMB/Windows Admin Shares in Google Chronicle
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). Windows systems have hidden administrative shares (C$, ADMIN$, IPC$) accessible only to administrators. Adversaries abuse these shares to copy tools, execute payloads, and move laterally throughout a network. Major ransomware families (Conti, Ryuk, NotPetya, Emotet, Royal, RansomHub) and APT groups (APT41, Sandworm, Wizard Spider, Chimera) have all leveraged SMB admin shares for lateral movement. Common execution methods paired with SMB include PsExec, scheduled tasks, service creation, and WMI.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.002 SMB/Windows Admin Shares
- Canonical reference
- https://attack.mitre.org/techniques/T1021/002/
YARA-L Detection Query
rule smb_admin_share_lateral_movement {
meta:
author = "Detection Engineering"
description = "Detects SMB admin share access and lateral tool transfer - T1021.002"
severity = "HIGH"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.002"
reference = "https://attack.mitre.org/techniques/T1021/002/"
false_positives = "IT management tools, backup agents, domain replication"
events:
(
$e.metadata.event_type = "PROCESS_LAUNCH" and
(
re.regex($e.target.process.file.full_path, `(?i)(psexec64?|paexec|remcom)\.exe$`) or
(
re.regex($e.target.process.file.full_path, `(?i)net1?\.exe$`) and
re.regex($e.target.process.command_line, `(?i)\buse\b`) and
re.regex($e.target.process.command_line, `(?i)(ADMIN\$|IPC\$|C\$)`)
)
)
) or
(
$e.metadata.event_type = "NETWORK_CONNECTION" and
$e.network.destination_port = 445 and
not re.regex($e.principal.process.file.full_path, `(?i)(svchost|lsass|smss)\.exe$`) and
re.regex($e.principal.process.command_line, `(?i)(ADMIN\$|IPC\$|C\$)`)
)
condition:
$e
}Chronicle YARA-L 2.0 detection rule covering two SMB admin share abuse vectors using UDM fields: PROCESS_LAUNCH events matching PsExec/PaExec/remcom tool execution or net use commands targeting administrative shares, and NETWORK_CONNECTION events on port 445 with admin share references in the process command line from non-system processes. Maps directly to Chronicle's normalized UDM schema for process and network event types ingested via Windows sensors or Bindplane.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative tools including SysInternals PsExec used by SOC/IT teams, SCCM remote execution clients, and RMM tools (ConnectWise, Kaseya) that leverage PsExec-style execution should be baselined and added to a reference list for suppression
- Endpoint security and monitoring solutions (CrowdStrike RTR, Carbon Black Live Response, SentinelOne Remote Shell) that use SMB internally for agent communication may trigger NETWORK_CONNECTION rules; exclude known security tooling process paths
- Group Policy Object (GPO) processing, domain join operations, and SYSVOL synchronization from legitimate domain infrastructure generate SMB port 445 connections that may match if command_line telemetry is populated; whitelist domain controller IP ranges
Other platforms for T1021.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Map Admin Share with Net Use
Expected signal: Sysmon Event ID 1: net.exe with CommandLine containing 'use' and 'C$'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4624 (LogonType=3, NTLM or Kerberos) on the target. Security Event ID 5140 (share accessed: \\*\C$).
- Test 2Copy File to ADMIN$ Share
Expected signal: Sysmon Event ID 3: Network Connection to 127.0.0.1:445 from cmd.exe. Security Event ID 5145: Detailed network share file access for \\*\ADMIN$\calc_test.exe. Sysmon Event ID 11: File created at C:\Windows\calc_test.exe on the target.
- Test 3PsExec Remote Command Execution via ADMIN$
Expected signal: Sysmon Event ID 1: psexec.exe process creation. Sysmon Event ID 11: PSEXESVC.exe file created in C:\Windows\. Security Event ID 7045: New service 'PSEXESVC' installed. Security Event ID 4624 (LogonType=3) on the target. Security Event ID 5140 (\\*\ADMIN$ accessed).
- Test 4Enumerate Admin Shares with Net View
Expected signal: Sysmon Event ID 1: net.exe with CommandLine 'view \\127.0.0.1 /all'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 5140 (IPC$ share access for enumeration).
References (8)
- https://attack.mitre.org/techniques/T1021/002/
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md
- https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts
- https://www.cybereason.com/blog/research/cybereason-vs-conti-ransomware
- https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Unlock Pro Content
Get the full detection package for T1021.002 including response playbook, investigation guide, and atomic red team tests.