Detections
Analytics
Remote Services: SMB/Windows Admin Shares
Description
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Users, Groups and Group membership | Plugin ID: 71246 |
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | OS Command | Computer Connectivity | Plugin ID: 64582 |
| Tenable.io | AD starter or Identity scan | Active Directory | Standard AD User | LDAP | Domain Users and Groups |
References
Nessus Plugins:Enumerate Local Group Memberships
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Lateral Movement
Technique: Remote Services
Sub-Technique: SMB/Windows Admin Shares
Platform: Windows
Products Required: Tenable.io
Tenable Release Date: 2022 Q3