TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

Finding Buried Treasure in Server Message Block (SMB)

BHIS · 2021-04-19 · Read original ↗

ATT&CK techniques detected

11 predictions
T1135Network Share Discovery
99%
“other languages and much of its functionality serves as the basis for the bloodhound project. two functions are most valuable for performing discovery on a windows active directory ( ad ) network. the first, get - netcomputer, is used to collect target computer names so we can cr…”
T1135Network Share Discovery
99%
“solution. the attacker would likely need evidence that ueba is in place to take this action. the attacker can also perform manual analysis to identify hosts that might be more valuable for sensitive data discovery. contextual clues often appear in hostnames, groups assigned to us…”
T1059.001PowerShell
88%
“content. obviously, that is not a hard and fast rule, as one environment can differ significantly from another. in order to generate the triage lists described above, we need to get our hands on powersploit powerview or sharpview. commands shown below are for powerview 2. 0 but t…”
T1135Network Share Discovery
76%
“would make access to superfluous network shares impossible from the user workstation segment. many options for effective segmentation exist including : - network - based firewalls - host - based firewalls - network infrastructure a simplified diagram of illustrating the described…”
T1135Network Share Discovery
74%
“finding buried treasure in server message block ( smb ) finding buried treasure in server message block ( smb ) service message block ( smb ) shares can represent a significant risk to an organization. companies often lack a realistic understanding of the exposure that smb shares…”
T1132.001Standard Encoding
71%
“iwr “ https : / / raw. githubusercontent. com / powershellempire / powertools / master / powerview / powerview. ps1 ” - usebasicparsing ) ps c : \ > get - netcomputer – operatingsystem * 2003 * | out - file – encoding ascii windows2003hosts. txt ps c : \ > get - netcomputer – ope…”
T1021.002SMB/Windows Admin Shares
63%
“organization. it ’ s likely that in a given environment, many more cases will be present. however, the analysis below simply serves to illustrate latent risk due to smb share exposure. administrative access probably the most notorious and useful shares that can be exposed in the …”
T1021.002SMB/Windows Admin Shares
61%
“finding buried treasure in server message block ( smb ) finding buried treasure in server message block ( smb ) service message block ( smb ) shares can represent a significant risk to an organization. companies often lack a realistic understanding of the exposure that smb shares…”
T1021.002SMB/Windows Admin Shares
55%
“share is necessary and appropriate given the context of the observed access. any shares found to be unneeded should be disabled. remaining shares should have permissions adjusted to address principle of least privilege and need to know requirements. permission adjustment smb shar…”
T1135Network Share Discovery
53%
“- sharefinder portion of the command. doing so allows the script to evaluate the elements of the computer listing in parallel fashion. the resulting output files, generated above, will serve as the source for our sensitive content discovery operation, described in the next sectio…”
T1021.002SMB/Windows Admin Shares
32%
“are for the ‘ everyone ’ group to have read access. as you can probably already tell, shares created with default conditions in both cases, will typically allow any authenticated member of the ‘ domain users ’ group to read content on the share. the second strategy is to correct …”

Summary

David Fletcher // Service Message Block (SMB) shares can represent a significant risk to an organization. Companies often lack a realistic understanding of the exposure that SMB shares represent. Effective management typically requires a sound information management […]

The post Finding Buried Treasure in Server Message Block (SMB) appeared first on Black Hills Information Security, Inc..