Techniques
Sample rules
Windows Administrative Shares Accessed On Multiple Hosts
- source: splunk
- technicques:
- T1135
Description
The following analytic leverages Event IDs 5140 or 5145 to identify a source computer accessing windows administrative shares (C$, Admin$ and IPC$ ) across a large number remote endpoints. Specifically, the logic will trigger when a source endpoint accesses administrative shares across 30 or more target computers within a 5 minute timespan. This behavior could represent an adversary who is enumerating network shares across an Active Directory environment in the search for sensitive files, a common technique leveraged by red teamers and threat actors. As environments differ across organizations, security teams should customize the thresholds of this detection as needed.
Detection logic
`wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$")
| bucket span=5m _time
| stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode
| where unique_targets > 30
| `windows_administrative_shares_accessed_on_multiple_hosts_filter`