CAPEC-561: Windows Admin Shares with Stolen Credentials
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
执行流程
步骤 1 Explore
[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.
- An adversary purchases breached Windows administrator credentials from the dark web.
- An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.
- An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.
步骤 2 Experiment
[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access.
- Manually or automatically enter each administrator credential through the target's interface.
步骤 3 Exploit
[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.
步骤 4 Exploit
[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares.
前提条件
- The system/application is connected to the Windows domain.
- The target administrative share allows remote use of local admin credentials to log into domain systems.
- The adversary possesses a list of known Windows administrator credentials that exist on the target domain.
所需技能
所需资源
- A list of known Windows administrator credentials for the targeted domain.
后果影响
影响范围: Confidentiality Access Control Authentication
技术影响: Gain Privileges
影响范围: Confidentiality Authorization
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
缓解措施
Do not reuse local administrator account credentials across systems.
Deny remote use of local admin credentials to log into domain systems.
Do not allow accounts to be a local administrator on more than one system.
示例实例
APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]
In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1021.002 | Remote Services:SMB/Windows Admin Shares |