MITRE ATT&CK Technique
Description
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include <code>C$</code>, <code>ADMIN$</code>, and <code>IPC$</code>. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares) The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:00.200Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Windows systems have hidden network shares that are '
'accessible only to administrators and provide the ability for '
'remote file copy and other administrative functions. Example '
'network shares include <code>C$</code>, <code>ADMIN$</code>, '
'and <code>IPC$</code>. \n'
'\n'
'Adversaries may use this technique in conjunction with '
'administrator-level [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) to '
'remotely access a networked system over server message block '
'(SMB) (Citation: Wikipedia SMB) to interact with systems '
'using remote procedure calls (RPCs), (Citation: TechNet RPC) '
'transfer files, and run transferred binaries through remote '
'Execution. Example execution techniques that rely on '
'authenticated sessions over SMB/RPC are [Scheduled '
'Task/Job](https://attack.mitre.org/techniques/T1053), '
'[Service '
'Execution](https://attack.mitre.org/techniques/T1035), and '
'[Windows Management '
'Instrumentation](https://attack.mitre.org/techniques/T1047). '
'Adversaries can also use NTLM hashes to access administrator '
'shares on systems with [Pass the '
'Hash](https://attack.mitre.org/techniques/T1075) and certain '
'configuration and patch levels. (Citation: Microsoft Admin '
'Shares)\n'
'\n'
'The [Net](https://attack.mitre.org/software/S0039) utility '
'can be used to connect to Windows admin shares on remote '
'systems using <code>net use</code> commands with valid '
'credentials. (Citation: Technet Net Use)',
'external_references': [{'external_id': 'T1077',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1077'},
{'external_id': 'CAPEC-561',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/561.html'},
{'description': 'Wikipedia. (2016, June 12). Server '
'Message Block. Retrieved June 12, '
'2016.',
'source_name': 'Wikipedia SMB',
'url': 'https://en.wikipedia.org/wiki/Server_Message_Block'},
{'description': 'Microsoft. (2003, March 28). What Is '
'RPC?. Retrieved June 12, 2016.',
'source_name': 'TechNet RPC',
'url': 'https://technet.microsoft.com/en-us/library/cc787851.aspx'},
{'description': 'Microsoft. (n.d.). How to create and '
'delete hidden or administrative '
'shares on client computers. '
'Retrieved November 20, 2014.',
'source_name': 'Microsoft Admin Shares',
'url': 'http://support.microsoft.com/kb/314984'},
{'description': 'Microsoft. (n.d.). Net Use. '
'Retrieved November 25, 2016.',
'source_name': 'Technet Net Use',
'url': 'https://technet.microsoft.com/bb490717.aspx'},
{'description': 'Payne, J. (2015, November 26). '
'Tracking Lateral Movement Part One - '
'Special Groups and Specific Service '
'Accounts. Retrieved February 1, '
'2016.',
'source_name': 'Lateral Movement Payne',
'url': 'https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts'},
{'description': 'Payne, J. (2015, November 23). '
'Monitoring what matters - Windows '
'Event Forwarding for everyone (even '
'if you already have a SIEM.). '
'Retrieved February 1, 2016.',
'source_name': 'Windows Event Forwarding Payne',
'url': 'https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem'},
{'description': 'French, D. (2018, September 30). '
'Detecting Lateral Movement Using '
'Sysmon and Splunk. Retrieved October '
'11, 2019.',
'source_name': 'Medium Detecting Lateral Movement',
'url': 'https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc'}],
'id': 'attack-pattern--ffe742ed-9100-4686-9e00-c331da544787',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'}],
'modified': '2025-10-24T17:49:40.422Z',
'name': 'Windows Admin Shares',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}