Windows Administrative Shares Accessed On Multiple Hosts

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1135` Network Share Discovery

Event coverage

Provider	Event ID	Title
Security-Auditing	5140	A network share object was accessed.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Stages and Predicates

Stage 1: `search`

search (EventCode=5140 OR EventCode=5145) (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\C$" OR ShareName="\\\\*\\IPC$")

Stage 2: `bucket`

bucket span=5m _time

Stage 3: `stats`

stats dc(Computer) AS unique_targets, … AS host_targets, … AS shares, … AS dest BY _time, IpAddress, SubjectUserName, EventCode

Stage 4: `where`

where unique_targets>30

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`5140` corpus 2 (splunk 2) `5145` corpus 4 (splunk 4)
`ShareName`	eq	`"\\\\\\ADMIN$"` `"\\\\\\C$"` `"\\\\*\\IPC$"`
`unique_targets`	gt	`30` corpus 5 (splunk 5)

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.

Potential Kerberos Coercion via DNS-Based SPN Spoofing [elastic]
Suspicious Remote Registry Access via SeBackupPrivilege [elastic]
Startup/Logon Script added to Group Policy Object [elastic]
Scheduled Task Execution at Scale via GPO [elastic]
Persistence and Execution at Scale via GPO Scheduled Task [sigma]
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation [sigma]
Startup/Logon Script Added to Group Policy Object [sigma]
Windows AD Short Lived Server Object [splunk]