Detectionlowtest

Access To ADMIN$ Network Share

Detects access to ADMIN$ network share

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sat Mar 04Updated Tue Jan 16098d7118-55bc-4912-a836-dc6483a8d150windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure

Detection Logic

detection:
    selection:
        EventID: 5140
        ShareName: 'Admin$'
    filter_main_computer_account:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter_*

False Positives

Legitimate administrative activity

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0008 · Lateral Movement

Sub-techniques

T1021.002 · SMB/Windows Admin Shares

Rule Metadata

Rule ID

098d7118-55bc-4912-a836-dc6483a8d150

Status

test

Level

low

Type

Detection

Created

Sat Mar 04

Modified

Tue Jan 16

Author

Florian Roth (Nextron Systems)

Path

rules/windows/builtin/security/win_security_admin_share_access.yml

Raw Tags

attack.lateral-movementattack.t1021.002

View on GitHub