Writing Local Admin Share

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.lateral-movement attack.t1546.002 ·

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Sigma rule (View on GitHub)

 1title: Writing Local Admin Share
 2id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
 3status: test
 4description: |
 5    Aversaries may use to interact with a remote network share using Server Message Block (SMB).
 6    This technique is used by post-exploitation frameworks.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
 9author: frack113
10date: 2022-01-01
11modified: 2022-08-13
12tags:
13    - attack.privilege-escalation
14    - attack.persistence
15    - attack.lateral-movement
16    - attack.t1546.002
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        TargetFilename|contains|all:
23            - '\\\\127.0.0'
24            - '\ADMIN$\'
25    condition: selection
26falsepositives:
27    - Unknown
28level: medium

References

atomic-red-team/atomics/T1021.002/T1021.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Writing Local Admin Share

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1021.002/T1021.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules