AN1145: Analytic 1145
Monitoring of file access to network shares (e.g., C$, Admin$) followed by unusual read or copy operations by processes not typically associated with such activity (e.g., PowerShell, certutil).
Analyst context for executives and security teams
This analytic matters because access to Windows administrative network shares such as C$ and Admin$ can expose sensitive systems to large-scale file reading or copying. For leaders, the decision point is whether the organization can see unusual file access over shares, especially when performed by tools that are not normally used for routine file operations, such as PowerShell or certutil.
Executive priority
Prioritize this as a Windows monitoring and incident-readiness question: can the SOC prove it has evidence of who accessed administrative shares, from where, with what process, and what files were read or copied? This supports business continuity, audit evidence, and incident scoping when suspicious network-share activity occurs. Because ATT&CK supplies no related technique, tactic, or threat relationship here, prioritization should be based on local exposure of Windows administrative shares and the sensitivity of reachable file stores.
Technical view
Validate visibility into Windows network-share file access, with emphasis on C$ and Admin$ style administrative shares. Detection engineering should look for unusual read or copy activity where the initiating process is not normally associated with that behavior in the environment, including examples named by ATT&CK such as PowerShell and certutil. Since no official detection logic is provided, teams should baseline normal administrative share usage by host role, account, source system, process, and volume of file operations before alerting on deviations.
Likely telemetry
- Windows file access auditing for network shares
- Administrative share access events for C$ and Admin$
- Process execution telemetry for tools such as PowerShell and certutil
- Source and destination host context for share access
- Account identity and logon context tied to file access
Detection direction
- Confirm that administrative share access is logged at a level sufficient to identify account, source host, target host, share name, and file operation.
- Baseline legitimate administrative activity to reduce false positives from software deployment, backup, system administration, or incident-response tooling.
- Tune for uncommon process-to-share combinations, especially processes not typically used for bulk file reads or copies in the local environment.
- Correlate file access with process execution and authentication context rather than relying on share access alone.
- Document blind spots where endpoint logging, file auditing, or network-share telemetry is disabled or inconsistently retained.
Mitigation priorities
- Review whether Windows administrative shares are required and restrict access to authorized administrative accounts where feasible.
- Apply least-privilege access controls to systems and shares that expose sensitive files.
- Ensure file access auditing and endpoint process telemetry are enabled on relevant Windows systems.
- Establish retention and search workflows so incident responders can scope suspicious share access after the fact.
- Periodically test whether SOC procedures can identify unusual reads or copies from administrative shares using approved internal validation methods.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique. The supplied content supports a Windows-focused monitoring use case for suspicious file access to network shares, especially administrative shares, followed by unusual read or copy operations by atypical processes. There are no supplied relationships, tactics, aliases, or detailed detection logic, so local baselining is essential.
ATT&CK did not provide an official detection section, related techniques, tactics, procedure examples, or mitigations for this analytic in the supplied fields. This take should not be read as evidence of active exploitation, attribution, or guaranteed detection coverage. Applicability depends on the organization’s Windows administrative share exposure and logging configuration.
Analytic 1145
Monitoring of file access to network shares (e.g., C$, Admin$) followed by unusual read or copy operations by processes not typically associated with such activity (e.g., PowerShell, certutil).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 15a16303c6f3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1145Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.