Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
Sigma rule (View on GitHub)
1title: Access To ADMIN$ Network Share
2id: 098d7118-55bc-4912-a836-dc6483a8d150
3status: test
4description: Detects access to ADMIN$ network share
5references:
6 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
7author: Florian Roth (Nextron Systems)
8date: 2017-03-04
9modified: 2024-01-16
10tags:
11 - attack.lateral-movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
17detection:
18 selection:
19 EventID: 5140
20 ShareName: 'Admin$'
21 filter_main_computer_account:
22 SubjectUserName|endswith: '$'
23 condition: selection and not 1 of filter_*
24falsepositives:
25 - Legitimate administrative activity
26level: low
References
Related rules
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe
- DCOM InternetExplorer.Application Iertutil DLL Hijack - Security