OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

SMB Lateral Movement - Enumeration Shares 

Endpoint Security Validation
Detection Rule Validation

概要

Validate your shares rights based on your user access

This scenario simulates an attacker’s behavior during the lateral movement phase of an intrusion, specifically by enumerating SMB file shares across reachable systems on the network. Once inside a network, threat actors often explore shared folders using SMB (Server Message Block) to locate files, staging areas, or systems with weak permissions that may help them escalate privileges, persist, or exfiltrate data.

Share enumeration involves querying target machines to retrieve a list of available SMB shares (e.g., ADMIN$, C$, IPC$ or custom departmental shares), along with their access control settings. If shares are misconfigured—such as allowing access to "Everyone", "Authenticated Users", or low-privileged accounts—they can be exploited for:

  • Dropping malicious payloads,
  • Executing remote commands,
  • Reading sensitive files or credentials,
  • Spreading malware (e.g., ransomware replication).

This scenario leverages common techniques (e.g., NetShareEnum, SMB protocol queries) to detect share exposure without performing write or destructive actions. It is ideal for evaluating the exposure of internal SMB shares and helping defenders fine-tune detection capabilities.

Objective:

  • Identify accessible SMB shares across the internal network.
  • Simulate real-world attacker reconnaissance for lateral movement.
  • Provide visibility into share misconfigurations or overly permissive access controls.

Use Case:

  • Purple team exercises simulating internal threat behavior.
  • Network exposure assessments.
  • Detection engineering and alert validation.
  • Asset inventory and legacy file server audit.

Tactics & Techniques:

  • Tactic: Lateral Movement / Discovery (MITRE ATT&CK: TA0008 / TA0007)
  • Technique: Remote Services – SMB/Windows Admin Shares [T1021.002]
  • Technique: File and Directory Discovery [T1083]
  • Tool Emulation: Behavior similar to net view, PowerView, smbclient, or rpcclient.

Impact:

This scenario does not attempt to authenticate with elevated privileges or modify content. It performs read-only enumeration of shares accessible by the provided account or using null/guest credentials, depending on configuration. It is safe in production environments but may trigger alerts on host or network monitoring systems.

Detection Tips:

Security teams should monitor for:

  • SMB enumeration activity from unexpected hosts or user accounts.
  • Windows Event ID 5140 (network share accessed) and Event ID 5156 (network connection).
  • Tools like smbclient, net view, or PowerShell scripts querying NetShareEnum APIs.
  • Suricata/Zeek alerts on SMB Tree Connect or Trans2 requests from non-admin systems.
  • These patterns can be used to create alerts for suspicious enumeration attempts or insider threat behavior.

Recommended Mitigations:

  • Limit share permissions using least privilege principles.
  • Remove or restrict default administrative shares when not needed (C$, ADMIN$).
  • Disable SMBv1 and require signing for SMBv2/v3 to enhance security.
  • Implement host-based firewalls to restrict SMB access between workstations.
  • Continuously audit and monitor file share configurations across systems.

References:

  • MITRE ATT&CK Technique: T1021.002 – SMB/Windows Admin Shares
  • Microsoft SMB Security Best Practices
  • CIS Benchmark: Windows File Sharing Controls

基本情報

Filigran
Sébastien Miguel
2026年7月01日
1.17.0
100+
30+

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。