T1021.002Lateral Movement

SMB/Windows Admin Shares

Use admin shares (ADMIN$, C$, IPC$) over SMB to execute on remote hosts.

§ Where this technique fits

T1021.002 is catalogued under the Lateral Movement tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 4.8 on average.

Authoritative reference: attack.mitre.org/techniques/T1021/002/.

§ Dossiers chaining this technique

No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
step 4 / 8
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
step 5 / 5
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
step 5 / 5
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
step 5 / 5

§ What commonly comes next

01
LSASS Memory
T1003.001 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

No creds → Domain Admin via LLMNR poisoning and NTLM relay

EternalBlue (MS17-010) → SMBv1 wormable spread

RBCD abuse → SYSTEM on a domain host

MachineAccountQuota abuse → RBCD takeover of a server

§ What commonly comes next