T1021.002 IBM QRadar · QRadar

Detect SMB/Windows Admin Shares in IBM QRadar

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). Windows systems have hidden administrative shares (C$, ADMIN$, IPC$) accessible only to administrators. Adversaries abuse these shares to copy tools, execute payloads, and move laterally throughout a network. Major ransomware families (Conti, Ryuk, NotPetya, Emotet, Royal, RansomHub) and APT groups (APT41, Sandworm, Wizard Spider, Chimera) have all leveraged SMB admin shares for lateral movement. Common execution methods paired with SMB include PsExec, scheduled tasks, service creation, and WMI.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.002 SMB/Windows Admin Shares
Canonical reference
https://attack.mitre.org/techniques/T1021/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  destinationip,
  username,
  QIDNAME(qid) AS event_name,
  "EventID" AS event_id,
  "ShareName" AS share_name,
  "CommandLine" AS command_line,
  "Image" AS process_image
FROM events
WHERE LAST 24 HOURS
  AND (
    (
      "EventID" IN ('5140', '5145')
      AND (
        "ShareName" ILIKE '%ADMIN$%'
        OR "ShareName" ILIKE '%C$%'
        OR "ShareName" ILIKE '%IPC$%'
      )
    )
    OR (
      "EventID" = '1'
      AND (
        "Image" ILIKE '%psexec.exe'
        OR "Image" ILIKE '%psexec64.exe'
        OR "Image" ILIKE '%paexec.exe'
        OR "Image" ILIKE '%remcom.exe'
      )
    )
    OR (
      "EventID" = '1'
      AND ("Image" ILIKE '%net.exe' OR "Image" ILIKE '%net1.exe')
      AND "CommandLine" ILIKE '%use%'
      AND (
        "CommandLine" ILIKE '%ADMIN$%'
        OR "CommandLine" ILIKE '%C$%'
        OR "CommandLine" ILIKE '%IPC$%'
      )
    )
  )
ORDER BY starttime DESC
high severity high confidence

QRadar AQL query targeting Windows Security Event IDs 5140 and 5145 (network share object access) for admin share enumeration, and Sysmon Event ID 1 (process creation) for PsExec/PaExec/remcom lateral movement tool execution and net use admin share mapping. Requires custom event properties EventID, ShareName, Image, and CommandLine to be configured via QRadar DSM editor for Microsoft Windows Security Event Log and Sysmon log sources.

Data Sources

QRadar DSM for Microsoft Windows Security Event Log (WinCollect agent or WEF)QRadar DSM for Sysmon via WinCollect or Windows Event ForwardingIBM QRadar WinCollect agent on monitored Windows endpoints

Required Tables

events

False Positives & Tuning

  • Enterprise endpoint management platforms (SCCM, Tanium, Ivanti Endpoint Manager) deploy software packages over SMB admin shares, generating high-volume 5140/5145 events during patch windows; whitelist known management server source IPs
  • Network backup agents (Veeam, Commvault, Cohesity) connecting to remote C$ or ADMIN$ for agent-less backup operations produce continuous share access events that match EventID 5140/5145 patterns
  • PsExec is a legitimate SysInternals utility used by IT help desk and sysadmin teams for remote command execution; correlate with expected source usernames and originating workstations to distinguish authorized use from adversarial lateral movement
Download portable Sigma rule (.yml)

Other platforms for T1021.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Map Admin Share with Net Use

    Expected signal: Sysmon Event ID 1: net.exe with CommandLine containing 'use' and 'C$'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4624 (LogonType=3, NTLM or Kerberos) on the target. Security Event ID 5140 (share accessed: \\*\C$).

  2. Test 2Copy File to ADMIN$ Share

    Expected signal: Sysmon Event ID 3: Network Connection to 127.0.0.1:445 from cmd.exe. Security Event ID 5145: Detailed network share file access for \\*\ADMIN$\calc_test.exe. Sysmon Event ID 11: File created at C:\Windows\calc_test.exe on the target.

  3. Test 3PsExec Remote Command Execution via ADMIN$

    Expected signal: Sysmon Event ID 1: psexec.exe process creation. Sysmon Event ID 11: PSEXESVC.exe file created in C:\Windows\. Security Event ID 7045: New service 'PSEXESVC' installed. Security Event ID 4624 (LogonType=3) on the target. Security Event ID 5140 (\\*\ADMIN$ accessed).

  4. Test 4Enumerate Admin Shares with Net View

    Expected signal: Sysmon Event ID 1: net.exe with CommandLine 'view \\127.0.0.1 /all'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 5140 (IPC$ share access for enumeration).

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.006Windows Remote ManagementT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1021.006Windows Remote ManagementT1047Windows Management InstrumentationT1053.005Scheduled TaskT1569.002Service ExecutionT1550.002Pass the HashT1570Lateral Tool TransferT1135Network Share Discovery

Same Tactic: Lateral Movement

Popular Detections