Home > CAPEC List > CAPEC-561: Windows Admin Shares with Stolen Credentials (Version 2.11)  

CAPEC-561: Windows Admin Shares with Stolen Credentials

Windows Admin Shares with Stolen Credentials
Definition in a New Window Definition in a New Window
Attack Pattern ID: 561
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

Windows systems have hidden network shares that are only accessible to administrators and allow files to be written to the local computer. Example network shares include: C$, ADMIN$ and IPC$. Adversaries may use valid administrator credentials to remotely access a network share to transfer files and execute code. It is possible for adversaries to use NTLM hashes to access administrator shares on systems with certain configuration and patch levels.

+ Solutions and Mitigations

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow accounts to be a local administrator on more than one system.

+ References
[R.561.1] ATT&CK Project. "Windows Admin Shares (1077)". MITRE. <https://attack.mitre.org/wiki/Windows_admin_shares>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017