Using the victim credentials the attacker authenticates to the victim machine on port 445 and try to gain access to the Admin$ shares: (C$, IPC$, or ADMIN$). Access to Admin$ allows for remote code execution including arbitrary code.

Malware/Threat actors

Name	Type	Years	Source
Gh0st Rat	malware	2009-2012	Know%20Your%20Digital%20Enemy.pdf
Operation Cleaver	threat actor	2012-2013	Cylance_Operation_Cleaver_Report.pdf stamp.jsp?tp=&arnumber=7460498&tag=1
Lazarus Group	threat actor	2011-2014	Operation-Blockbuster-Report.pdf Operation-Blockbuster-RAT-and-Staging-Report.pdf Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf Operation-Blockbuster-Destructive-Malware-Report.pdf
APT38	threat actor	2014-2018	rpt-apt38-2018-web_v4.pdf
Wild Neutron	threat actor	2013-2015	WildNeutron_Economic_espionage.pdf ICIT-Brief-Know-Your-Enemies-2.0.pdf
Wiper	malware	2014	TA14-353A_wiper.pdf

Preventions

<Mitigation techniques>

Detections

<Detection techniques>

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• WMI
• WinRM
• SSH HiJacking
• Remote Desktop
• Exploit

References

• Detecting Lateral Movement Attacks through SMB using BRO
• McAfee - Know Your Digital Enemy