Top Security QuickFails: #3 The “invisible” network shares

26. August 2021

#3 The “invisible” network shares

The attack

It’s Wednesday morning, the sun is shining and all ImmerGrün AG employees are looking forward to the summer party in the afternoon.
Beate from the HR department wanted to have a look at some applications from the previous day and was surprised that many documents suddenly required macros to open, but she would have another look tomorrow…

What happened?

An attacker had compromised an account of an employee. This one could actually only see the company’s global exchange drive. However, the attacker very quickly checked all servers for open network drives and found that most shares were merely unmounted, but every domain user had read & write permissions on them.
Therefore, he added a macro to each Office file (Word, PowerPoint, Excel), on each network share. As a result, any employee who opened one of these files was also compromised.

In addition, the attacker found an “Admin” share, which appeared to be exclusively for administrators.

In addition to various setup files, the attacker also found bat & Powershell scripts. These also contained the credentials of various privileged accounts, which allowed the entire company to be compromised.

The countermeasure

First of all, administrators should realize that shares can also be included by users! This means that “non-visible” network drives must also be provided with appropriate permissions.

Afterwards, all systems in the network should be checked for open network shares and their permissions.

Safety gain

Medium to High

*From the blog series Top Security QuickFails

You are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information

Similar posts

The prehistory In recent years, we have conducted an extremely large number of penetration tests at companies of all sizes [...]

6. June 2021

#1 Standard Office Macros Settings The attack Our employee of the month Peter Lustig receives [...]

6. June 2021

#2 Domain admins everywhere The attack It is a Monday morning and Kevin Vielzutun starts his monthly server check in [...]

15. June 2021

Half past six in the morning in Germany. Bianca at MedienBude GmbH starts her workday by checking her e-mail inbox. [...]

1. November 2021