Detection: Windows Administrative Shares Accessed On Multiple Hosts

Updated Date: 2024-05-19 ID: d92f2d95-05fb-48a7-910f-4d3d61ab8655 Author: Mauricio Velazco, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.

1 `wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") 
2| bucket span=5m _time 
3| stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares by _time, IpAddress, SubjectUserName, EventCode 
4| where unique_targets > 30 
5| `windows_administrative_shares_accessed_on_multiple_hosts_filter`

Data Source

Name Platform Sourcetype Source Supported App
Windows Event Log Security 5140 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Security' N/A

Macros Used

Name Value
wineventlog_security eventtype=wineventlog_security OR Channel=security OR source=XmlWinEventLog:Security
windows_administrative_shares_accessed_on_multiple_hosts_filter search *
windows_administrative_shares_accessed_on_multiple_hosts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1135 Network Share Discovery Discovery
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_10
APT1
APT32
APT38
APT39
APT41
Chimera
DarkVishnya
Dragonfly
FIN13
Sowbug
Tonto Team
Tropic Trooper
Wizard Spider

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, you need to be ingesting file share events. The Advanced Security Audit policy setting Audit Detailed File Share or Audit File Share within Object Access need to be enabled.

Known False Positives

An single endpoint accessing windows administrative shares across a large number of endpoints is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
$IpAddress$ accessed the IPC share on more than 30 endpoints in a timespan of 5 minutes. 56 70 80
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Security XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Security XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2