The 杏吧传媒 SOC team continues to see new ,听, and Qakbot malware outbreaks within networks 鈥 regardless of antivirus, anti-spam, or firewall solutions. As a result, we鈥檝e become聽迟辞辞听familiar with the hurdles MSPs and IT departments face when attempting to contain these worms (sometimes taking months to remediate).
In this blog post, we鈥檒l look at how these malware families (and attackers) abuse Windows鈥 Administrative Shares to propagate. We鈥檒l also share battle-tested techniques you can leverage to quickly curb the spread and begin remediation.
An often overlooked feature of Windows is the . These shares, which are enabled by default, provide administrators and software the functionality to remotely manage hosts. Although most network shares are visible within Windows Explorer鈥檚 network view (browse to \\localhost), administrative shares are not displayed. This is the result of a聽.
It should be noted that the word 鈥渉idden鈥 is a bit of a misnomer. Only Windows hides these shares from being displayed. If you were to , all 鈥渉idden shares鈥 would be visible.
In fact, even Windows allows you to locally and remotely discover 鈥渉idden鈥 shares using the聽net share 补苍诲听net view /all聽commands as shown in the image below:
Viewing admin shares on a Windows 10 host with a single partition and documentation on remote viewing.
Accessing the administrative shares requires administrative privileges. While useful under normal operations, Windows' administrative shares can be problematic when there is malware or an attacker on the network as the shares can be leveraged for .
Malware with worming capabilities, such as Emotet and Trickbot, will steal credentials and also use brute force to gain access to other systems on the network. Once the malware has obtained credentials, both Emotet and Trickbot use a technique similar to 聽to copy and execute malicious payloads on a remote victim host. This technique relies on the ability to access administrative shares.
For most networks, external access via the SMB protocol is blocked by the firewall. Within the internal network, however, SMB traffic is often unrestricted 鈥 allowing all hosts to communicate with each other. Consider the case where an administrator鈥檚 account was compromised (either stolen or brute-forced); if all the workstations have the same administrator credentials, the malware (or attacker) effectively has access to all the systems.
Someone (or something) with administrative privileges can wreak havoc on a single system. Through the malicious use of Windows Admin Shares, the result can be catastrophic if those administrative privileges grant access to multiple hosts.
Here are some simple steps you can take to minimize your risk of attackers exploiting Windows Administrative Shares:
Thousands of MSPs and IT practitioners rely on 杏吧传媒 to find and stop the advanced attacks that evade their preventive security measures. You can get complete access to the 杏吧传媒 Managed Security Platform with our free trial. Simply deploy our agent in minutes to an unlimited number of endpoints, set up a reporting integration into your ticketing system, and we鈥檒l deliver step-by-step remediation procedures for each compromised host we discover.
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
