CAPEC-561

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Windows Admin Shares with Stolen Credentials

Description

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

Prerequisites

The system/application is connected to the Windows domain.

The target administrative share allows remote use of local admin credentials to log into domain systems.

The adversary possesses a list of known Windows administrator credentials that exist on the target domain.

Mitigations

Do not reuse local administrator account credentials across systems.

Deny remote use of local admin credentials to log into domain systems.

Do not allow accounts to be a local administrator on more than one system.

Skills Required

[Low] Once an adversary obtains a known Windows credential, leveraging it is trivial.