Links in vid description!
The companion video to the TryHackMe Network Services SMB challenge.
Christopher: Time for a 60 second attack! T1021.002, SMB Shares. This is part of the remote services technique, and yes there is a sigma rule for it. Watch to the end of the video to learn about which tool can help mitigate this technique.
Three things to know about T1021.002.
Adversaries may use valid accounts to interact with SMB, and anonymous logons can be considered an account, in a threat vector like this.
Adversaries can use SMB to interact with file shares, transfer files to and from the server, and move laterally through the network.
SMB can also be used to execute transferred binaries through WMI.
The NIST control to address T1021.002 is AC-2(9), restrictions of shared and group accounts.
And the tool used to address AC-2(9) is Nessus! Use Nessus or a similar vuln scanner to audit for anonymous logons.
If you enjoyed this video please like and subscribe for more attacks!