SMB Lateral Movement - Enumeration Shares 

This scenario simulates an attacker’s behavior during the lateral movement phase of an intrusion, specifically by enumerating SMB file shares across reachable systems on the network. Once inside a network, threat actors often explore shared folders using SMB (Server Message Block) to locate files, staging areas, or systems with weak permissions that may help them escalate privileges, persist, or exfiltrate data.

Share enumeration involves querying target machines to retrieve a list of available SMB shares (e.g., ADMIN$, C$, IPC$ or custom departmental shares), along with their access control settings. If shares are misconfigured—such as allowing access to "Everyone", "Authenticated Users", or low-privileged accounts—they can be exploited for:

• Dropping malicious payloads,
• Executing remote commands,
• Reading sensitive files or credentials,
• Spreading malware (e.g., ransomware replication).

This scenario leverages common techniques (e.g., NetShareEnum, SMB protocol queries) to detect share exposure without performing write or destructive actions. It is ideal for evaluating the exposure of internal SMB shares and helping defenders fine-tune detection capabilities.

Objective:

• Identify accessible SMB shares across the internal network.
• Simulate real-world attacker reconnaissance for lateral movement.
• Provide visibility into share misconfigurations or overly permissive access controls.

Use Case:

• Purple team exercises simulating internal threat behavior.
• Network exposure assessments.
• Detection engineering and alert validation.
• Asset inventory and legacy file server audit.

Tactics & Techniques:

• Tactic: Lateral Movement / Discovery (MITRE ATT&CK: TA0008 / TA0007)
• Technique: Remote Services – SMB/Windows Admin Shares [T1021.002]
• Technique: File and Directory Discovery [T1083]
• Tool Emulation: Behavior similar to net view, PowerView, smbclient, or rpcclient.

Impact:

This scenario does not attempt to authenticate with elevated privileges or modify content. It performs read-only enumeration of shares accessible by the provided account or using null/guest credentials, depending on configuration. It is safe in production environments but may trigger alerts on host or network monitoring systems.

Detection Tips:

Security teams should monitor for:

• SMB enumeration activity from unexpected hosts or user accounts.
• Windows Event ID 5140 (network share accessed) and Event ID 5156 (network connection).
• Tools like smbclient, net view, or PowerShell scripts querying NetShareEnum APIs.
• Suricata/Zeek alerts on SMB Tree Connect or Trans2 requests from non-admin systems.
• These patterns can be used to create alerts for suspicious enumeration attempts or insider threat behavior.

Recommended Mitigations:

• Limit share permissions using least privilege principles.
• Remove or restrict default administrative shares when not needed (C$, ADMIN$).
• Disable SMBv1 and require signing for SMBv2/v3 to enhance security.
• Implement host-based firewalls to restrict SMB access between workstations.
• Continuously audit and monitor file share configurations across systems.

References:

• MITRE ATT&CK Technique: T1021.002 – SMB/Windows Admin Shares
• Microsoft SMB Security Best Practices
• CIS Benchmark: Windows File Sharing Controls