CAPEC-561: Windows Admin Shares with Stolen Credentials

Description
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
Extended Description

Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels.

Severity :

Possibility :

Type :

Detailed
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The system/application is connected to the Windows domain.
  • The target administrative share allows remote use of local admin credentials to log into domain systems.
  • The adversary possesses a list of known Windows administrator credentials that exist on the target domain.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Once an adversary obtains a known Windows credential, leveraging it is trivial.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A list of known Windows administrator credentials for the targeted domain.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Oct. 31, 2024 6:53