SMB operates on a client-server architecture. Authentication is typically handled via Kerberos in an Active Directory domain, falling back to NTLM if SPN resolution fails or if accessing via IP address.
To facilitate remote IT management, Windows automatically creates hidden Administrative Shares on every machine. These shares are appended with a $ character, rendering them invisible to standard network browsing.
C$, D$): Grants full administrative access to the root of the respective hard drive volumes.ADMIN$ Share: A specific pointer to the C:\Windows directory.Threat actors weaponize SMB across multiple phases of the kill chain.
As detailed in our PsExec Lateral Movement Analysis, attackers authenticate to the target’s ADMIN$ share over SMB (TCP 445), drop a malicious service executable (PSEXESVC.exe), and use RPC over SMB to instruct the Service Control Manager to execute it.
To evade network detection, modern C2 frameworks (like Cobalt Strike or Sliver) deploy SMB Beacons. Instead of communicating directly with the internet, infected internal hosts communicate with each other over SMB using Named Pipes (accessed via the IPC$ share). To a firewall, this simply looks like legitimate internal file-sharing traffic.
In modern Ransomware Investigations, adversaries often do not deploy the encryptor payload to every endpoint. Instead, they execute the ransomware on a single powerful server and encrypt thousands of files across the network entirely over SMB. This “Remote Encryption” bypasses local EDR agents on the victim workstations because the local files are merely being modified via standard network share access.
DFIR analysts rely on specific Windows Event Logs to track malicious SMB activity.
Share Access (Events 5140 & 5145)
Logged in the Security log.
Event 5140: A network share object was accessed. Reveals the Source IP.
Event 5145: Detailed access. If the attacker accesses the IPC$ share, the Relative Target Name will reveal the exact Named Pipe being used.
Sysmon Pipe Activity (Events 17 & 18)
Sysmon Event 17 (Pipe Created) and 18 (Pipe Connected) correlate the network SMB activity directly back to the malicious process PID hosting the beacon.
When an attacker performs aggressive remote encryption over SMB, the script opens thousands of file handles simultaneously. This aggressive, unnatural traffic often causes the SMB client connection to fail or drop.
Analysts must monitor the Microsoft-Windows-SMBClient/Connectivity log. A massive spike in Event 30803 (Network connection failed) and Event 30807 (Connection disconnected) is a highly reliable behavioral signature of remote ransomware encryption in progress.
// Detects unauthorized access to hidden administrative shares (C$, ADMIN$)// which is indicative of lateral movement or remote payload staging.DeviceEvents| where ActionType == "ShareAccessed"| extend ShareName = tostring(AdditionalFields.ShareName)// Target hidden administrative shares| where ShareName endswith "C$" or ShareName endswith "ADMIN$"// Filter out expected backup or management servers| where RemoteIP !in ("10.0.0.50", "10.0.0.51")| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteIP, ShareName| sort by TimeGenerated desc# Detects massive spikes in SMB disconnects, strongly indicating# remote ransomware encryption overwhelming the SMB client limits.index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-SMBClient/Connectivity" EventCode IN (30803, 30807)| bucket _time span=1m| stats count by host# Threshold: More than 100 connection drops in 1 minute| where count > 100| sort - count