CAPEC-561: Windows Admin Shares with Stolen Credentials

Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

Extended Description

Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.

Severity :

Possibility :

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-16: Dictionary-based Password Attack Dictionary-based Password Attack CAPEC-49: Password Brute Forcing Password Brute Forcing CAPEC-50: Password Recovery Exploitation Password Recovery Exploitation CAPEC-55: Rainbow Table Password Cracking Rainbow Table Password Cracking CAPEC-70: Try Common or Default Usernames and Passwords Try Common or Default Usernames and Passwords CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-165: File Manipulation File Manipulation CAPEC-545: Pull Data from System Resources Pull Data from System Resources CAPEC-549: Local Execution of Code Local Execution of Code CAPEC-565: Password Spraying Password Spraying CAPEC-568: Capture Credentials via Keylogger Capture Credentials via Keylogger CAPEC-643: Identify Shared Files/Directories on System Identify Shared Files/Directories on System CAPEC-653: Use of Known Operating System Credentials Use of Known Operating System Credentials

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The system/application is connected to the Windows domain.
The target administrative share allows remote use of local admin credentials to log into domain systems.
The adversary possesses a list of known Windows administrator credentials that exist on the target domain.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Once an adversary obtains a known Windows credential, leveraging it is trivial.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Remote Services:SMB/Windows Admin Shares

Resources required

A list of known Windows administrator credentials for the targeted domain.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-294: Authentication Bypass by Capture-replay

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-521: Weak Password Requirements

CWE-522: Insufficiently Protected Credentials

Visit http://capec.mitre.org/ for more details.