title: SMB/Windows Admin Shares (T1021.002)
id: df00tech-t1021-002
status: experimental
description: "Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). Windows systems have hidden administrative shares (C$, ADMIN$, IPC$) accessible only to administrators. Adversaries abuse these shares to copy tools, execute payloads, and move laterally throughout a network. Major ransomware families (Conti, Ryuk, NotPetya, Emotet, Royal, RansomHub) and APT groups (APT41, Sandworm, Wizard Spider, Chimera) have all leveraged SMB admin shares for lateral movement. Common execution methods paired with SMB include PsExec, scheduled tasks, service creation, and WMI."
references:
  - https://attack.mitre.org/techniques/T1021/002/
  - https://df00tech.com/detections/T1021.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - SCCM/Intune agents distributing software packages via ADMIN$ shares to managed endpoints
  - "Backup agents (Veeam, NetBackup, Commvault) accessing C$ for backup operations"
  - IT administrators manually copying files to ADMIN$ for troubleshooting or patching
  - Legitimate PsExec use by sysadmins for remote command execution on managed hosts
  - Windows file sharing between workstations in peer-to-peer environments or home networks
level: high