SigmaHQ/rules/windows/builtin/win_admin_share_access.yml

title: Access to ADMIN$ Share
id: 098d7118-55bc-4912-a836-dc6483a8d150
description: Detects access to $ADMIN share
tags:
    - attack.lateral_movement
    - attack.t1077          # an old one
    - attack.t1021.002
status: experimental
author: Florian Roth
date: 2017/03/04
modified: 2020/08/23
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
    selection:
        EventID: 5140
        ShareName: Admin$
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative activity
level: low
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`title: Access to ADMIN$ Share`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 098d7118-55bc-4912-a836-dc6483a8d150`
Rule: Fixed missing description 2018-06-08 09:38:27 +00:00			`description: Detects access to $ADMIN share`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.lateral_movement`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1077 # an old one`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1021.002`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`status: experimental`
			`author: Florian Roth`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/04`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`modified: 2020/08/23`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`detection:`
			`selection:`
Bugfixes and improvements 2017-03-21 09:24:20 +00:00			`EventID: 5140`
			`ShareName: Admin$`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`filter:`
Update win_admin_share_access.yml Getting rid of '*' use 2020-10-15 18:03:31 +00:00			`SubjectUserName\|endswith: '$'`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`condition: selection and not filter`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`falsepositives:`
Rule: Access to ADMIN$ share 2017-03-14 13:53:03 +00:00			`- Legitimate administrative activity`
			`level: low`