MITRE’s data sources
- Process use of network
- Authentication logs
- Process monitoring
- Process command-line parameters
Process use of network
The malicious use of Windows Admin Shares is often accompanied by large numbers of internal network connections to hosts over the SMB protocol on port 445. Monitoring for this type of activity—high volumes of network connections over port 445—has been instrumental in helping us identify adversarial uses of Windows Admin Shares.
Authentication logs, process monitoring, process command-line parameters
Authentication logs are a useful data source for observing certain aspects of malicious Windows Admin Shares. So too is process monitoring, which is often used in conjunction with Scheduled Tasks, Service Execution, and Windows Management Instrumentation (WMI). Process command-line parameters are useful as well, particularly for localhost shares.
While MITRE doesn’t list it explicitly, security teams should also consider monitoring network shares (e.g., ADMIN$, C$, and PRINT$), because malicious use of Windows Admin Shares frequently coincides with execution from network shares. An example of this might include the redirection of host or other data in the service of conducting reconnaissance on the localhost admin share.
Some telemetry patterns to help detect this type of behavior include the use of cmd.exe with the names of shares such as
Weeding out false positives
Because admin shares are often used within the enterprise, but are rarely used uniformly across enterprises, generic detection strategies frequently lead to high false positive rates.
If admin shares are being legitimately used, process and process command-line monitoring may allow you to build a list of processes and attributes that are known, so that you can alert on any deviations. For example, if you expect process
ntoskrnl.exe to make a local admin share modification to a specific file at path
127.0.0.1\admin$\[name-of-file], then these can be suppressed and any other process may generate an alert.
Other common sources of false positives are inventory and asset discovery systems. Extend the whitelisting strategy above, adding criteria for initiating system(s), frequency, time of day, and other limiting factors. Just be sure to closely monitor the integrity of any system that you add to your list of trusted initiators, as these systems may be useful targets to an adversary.