AN1468: Analytic 1468
An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.
Analyst context for executives and security teams
This analytic matters because SMB administrative shares such as ADMIN$ and C$ are commonly involved when activity moves from simple remote file access into hands-on lateral movement on Windows systems. For leaders, the practical question is whether the organization can distinguish legitimate remote administration from suspicious follow-on actions such as remote service creation, task scheduling, or unusual process execution on the target host.
Executive priority
Prioritize this as a Windows lateral-movement visibility and response-readiness issue. It affects incident scoping, containment speed, audit evidence for administrative access monitoring, and confidence in managed detection or SOC coverage. Executives should ask whether SMB administrative share activity is logged, correlated with remote execution behaviors, and reviewed in the context of privileged account use rather than treated as routine file access alone.
Technical view
Validate whether the SOC can correlate SMB-based access to ADMIN$ or C$ shares with subsequent lateral movement indicators on the target Windows host, including remote service creation, scheduled task activity, or suspicious process execution. Because the supplied ATT&CK object provides no official detection logic and no relationship context, teams should treat this as detection design guidance rather than a ready-to-deploy rule. The key engineering task is correlation across network/file-share access and endpoint execution evidence on the destination host.
Likely telemetry
- Windows endpoint process execution telemetry from target hosts
- Windows service creation or service control event telemetry
- Scheduled task creation or execution telemetry
- SMB or Windows file share access logs involving ADMIN$ or C$
- Authentication and logon telemetry for accounts accessing remote administrative shares
Detection direction
- Correlate remote ADMIN$ or C$ share access with near-time service creation, scheduled task activity, or suspicious process execution on the same target host.
- Baseline legitimate administrative tooling and maintenance workflows to reduce false positives from IT operations.
- Review privileged and administrative account usage in the same time window as SMB administrative share access.
- Confirm visibility exists on both the source and target Windows systems; network-only SMB evidence may not prove what executed on the destination host.
- Tune detections around sequences of behavior rather than a single SMB share access event, since administrative shares can be used legitimately.
Mitigation priorities
- Harden and monitor use of Windows administrative shares and privileged remote administration paths.
- Restrict administrative access to systems based on role, need, and segmentation boundaries.
- Ensure endpoint logging captures service creation, scheduled task activity, process execution, and relevant authentication events.
- Use incident response playbooks that quickly identify the source account, source host, target host, files accessed, and follow-on execution activity.
- Periodically test SOC correlation coverage for SMB administrative share access followed by remote execution behaviors.
Analyst notes and limits
The object is a detection analytic for Windows in the enterprise ATT&CK domain. It describes SMB-based remote file share access followed by lateral movement actions using ADMIN$ or C$ shares. No ATT&CK tactics, relationships, aliases, labels, or official detection content were supplied, so this take focuses on defensible validation questions and telemetry requirements rather than specific rule syntax.
The supplied object does not include official detection logic, data source mappings, related techniques, threat groups, software, campaigns, or mitigations. Local environment baselines are required to separate legitimate remote administration from suspicious lateral movement patterns.
Analytic 1468
An SMB-based remote file share access followed by lateral movement actions such as remote service creation, task scheduling, or suspicious process execution on the target host using ADMIN$ or C$ shares.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3445f296bcdf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1468Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.