Our ThreatOps team continues to see new Emotet, Trickbot, and Qakbot malware outbreaks within networks — regardless of antivirus, anti-spam, or firewall solutions. As a result, we’ve become too familiar with the hurdles businesses face when attempting to contain these worms (sometimes taking months to remediate). In this article, we’ll look at how these malware families (and attackers) abuse Windows’ Administrative Shares to propagate. We’ll also share battle-tested techniques you can leverage to quickly curb the spread and begin remediation.
So What Are Administrative Shares?
An often overlooked feature of Windows are the administrative shares. These shares, which are enabled by default, provide administrators and software the functionality to remotely manage hosts. Although most network shares are visible within Windows Explorer’s network view (browse to \\localhost), administrative shares are not displayed. This is the result of a feature that “hides” any share with a name ending with a “$”. Windows hides these shares from being displayed. Windows does allow you to locally and remotely discover “hidden” shares using the net share and net view /all commands.
Accessing the administrative shares requires administrative privileges. While useful under normal operations, the administrative shares can be problematic when there is malware or an attacker on the network as the shares can be leveraged for lateral movement.
Malware with worming capabilities, such as Emotet and Trickbot, will steal credentials and also use brute-force to gain access to other systems on the network. Once the malware has obtained credentials, both Emotet and Trickbot use a technique similar to Microsoft’s PsExec tool to copy and execute malicious payloads on a remote victim host. This technique relies on the ability to access administrative shares.
For most networks, external access via the SMB protocol is blocked by the firewall. However within the internal network, SMB traffic is often unrestricted — allowing all hosts to communicate with each other. Consider the case where an administrator’s account was compromised (either stolen or brute-forced); if all the workstations have the same administrator credentials, the malware (or attacker) effectively has access to all the systems.
What Can You do to Reduce the Risk?
Someone (or something) with administrative privileges can wreak havoc on a single system. The result can be catastrophic if those administrative privileges grant access to multiple hosts. Below are some things you can do to minimize the risk:
- Randomize the local administrator password on hosts using tools such as Microsoft’s “Local Administrator Password Solution” (LAPS).
- Regularly audit accounts with administrative privileges and limit administrative access to only those users who require it. Keeping the number of administrative accounts low presents fewer “high value” targets for attackers.
- On hosts that are not sharing resources with other systems (e.g., workstations), consider disabling administrative shares or enabling the local firewall to block access to the ports used for SMB.
Curious what’s lurking in your networks?
Let RG Technologies and our ThreatOps team protect your network and find what’s lurking in the dark corners of your network. You might not like what we find…