Detect SMB/Windows Admin Shares in Sumo Logic CSE
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). Windows systems have hidden administrative shares (C$, ADMIN$, IPC$) accessible only to administrators. Adversaries abuse these shares to copy tools, execute payloads, and move laterally throughout a network. Major ransomware families (Conti, Ryuk, NotPetya, Emotet, Royal, RansomHub) and APT groups (APT41, Sandworm, Wizard Spider, Chimera) have all leveraged SMB admin shares for lateral movement. Common execution methods paired with SMB include PsExec, scheduled tasks, service creation, and WMI.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.002 SMB/Windows Admin Shares
- Canonical reference
- https://attack.mitre.org/techniques/T1021/002/
Sumo Detection Query
(_sourceCategory=*Windows* OR _sourceCategory=*WinEvent* OR _sourceCategory=*Sysmon*)
| parse regex "EventID[^>]*>(?<event_id>\d+)" nodrop
| parse regex "ShareName[^>]*>(?<share_name>[^<]+)" nodrop
| parse regex "<Image[^>]*>(?<process_image>[^<]+)" nodrop
| parse regex "CommandLine[^>]*>(?<command_line>[^<]+)" nodrop
| parse regex "IpAddress[^>]*>(?<source_ip>[^<]+)" nodrop
| parse regex "SubjectUserName[^>]*>(?<subject_user>[^<]+)" nodrop
| where (
(event_id in ("5140", "5145")
AND (share_name matches "*ADMIN$*" OR share_name matches "*C$*" OR share_name matches "*IPC$*"))
OR (event_id = "1"
AND (process_image matches "*psexec.exe" OR process_image matches "*psexec64.exe"
OR process_image matches "*paexec.exe" OR process_image matches "*remcom.exe"))
OR (event_id = "1"
AND (process_image matches "*net.exe" OR process_image matches "*net1.exe")
AND toLowerCase(command_line) matches "*use*"
AND (command_line matches "*ADMIN$*" OR command_line matches "*C$*" OR command_line matches "*IPC$*"))
)
| fields _messageTime, _sourceHost, event_id, share_name, source_ip, process_image, command_line, subject_user
| sort by _messageTime descSumo Logic query using regex field extraction against raw Windows XML event log and Sysmon payloads to detect three SMB admin share abuse patterns: EventID 5140/5145 network share object access to hidden administrative shares, Sysmon EventID 1 process creation for PsExec/PaExec/remcom tool execution, and net use commands explicitly targeting ADMIN$, C$, or IPC$ shares. Designed for Windows XML event logs collected via Sumo Logic installed collector or Windows Event Forwarding.
Data Sources
Required Tables
False Positives & Tuning
- Windows EventID 5140 is generated for every network share access including routine NETLOGON and SYSVOL access from all domain-joined systems; ensure the where clause strictly filters to ADMIN$, C$, and IPC$ share names to minimize false positive volume
- Systems running scheduled backup jobs (Veeam, Backup Exec) that connect to remote administrative shares generate persistent 5140/5145 events; create exclusion filters for known backup service account usernames and source host names
- IT automation and configuration management tooling (Ansible, Puppet, Chef using WinRM + SMB) that leverages administrative shares for file transfer will match the net use and PsExec detections during deployment runs; correlate with change management records
Other platforms for T1021.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Map Admin Share with Net Use
Expected signal: Sysmon Event ID 1: net.exe with CommandLine containing 'use' and 'C$'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4624 (LogonType=3, NTLM or Kerberos) on the target. Security Event ID 5140 (share accessed: \\*\C$).
- Test 2Copy File to ADMIN$ Share
Expected signal: Sysmon Event ID 3: Network Connection to 127.0.0.1:445 from cmd.exe. Security Event ID 5145: Detailed network share file access for \\*\ADMIN$\calc_test.exe. Sysmon Event ID 11: File created at C:\Windows\calc_test.exe on the target.
- Test 3PsExec Remote Command Execution via ADMIN$
Expected signal: Sysmon Event ID 1: psexec.exe process creation. Sysmon Event ID 11: PSEXESVC.exe file created in C:\Windows\. Security Event ID 7045: New service 'PSEXESVC' installed. Security Event ID 4624 (LogonType=3) on the target. Security Event ID 5140 (\\*\ADMIN$ accessed).
- Test 4Enumerate Admin Shares with Net View
Expected signal: Sysmon Event ID 1: net.exe with CommandLine 'view \\127.0.0.1 /all'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 5140 (IPC$ share access for enumeration).
References (8)
- https://attack.mitre.org/techniques/T1021/002/
- https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5140
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md
- https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts
- https://www.cybereason.com/blog/research/cybereason-vs-conti-ransomware
- https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Unlock Pro Content
Get the full detection package for T1021.002 including response playbook, investigation guide, and atomic red team tests.