T1051: Shared Webroot

Lateral Movement

Execution

Enumerating victim host 10.0.0.6 for any shares:

attacker@local
smbclient -L //10.0.0.6 -U spot

WARNING: The "syslog" option is deprecated
Enter WORKGROUP\spot's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    CertEnroll      Disk      Active Directory Certificate Services share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    temp            Disk      
    tools           Disk      
    transcripts     Disk      
    wwwroot         Disk

Logging in to the wwwroot share:

Uploading a webshell into the wwwroot:

Same as above in a picture:

Attacker can now access the newly uploaded webshell via http://10.0.0.6/c.aspx and start executing commands:

Observations

See T1108: Webshells for observations:

T1108: WebShells

References

https://attack.mitre.org/wiki/Technique/T1051attack.mitre.org
PreviousT1076: RDP Hijacking for Lateral Movement with tsconNextT1175: Lateral Movement via DCOM

Last updated

Was this helpful?