Remote Services: SMB/Windows Admin Shares


Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBWindows ServicesPlugin ID: 44401
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMILocal Users, Groups and Group membershipPlugin ID: 71246
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanOS CommandComputer ConnectivityPlugin ID: 64582
Tenable.ioAD starter or Identity scanActive DirectoryStandard AD UserLDAPDomain Users and Groups


Nessus Plugins:Enumerate Local Group Memberships

Microsoft Windows SMB Service Config Enumeration

Netstat Connection Information

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Lateral Movement

Technique: Remote Services

Platform: Windows

Products Required:

Tenable Release Date: 2022 Q3