T1021.002: T1021.002
Essential information
- MITRE technique ID
T1021.002- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:25
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
SMB/Windows Admin Shares
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
The MITRE Corporation Confidence 100
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
FishMonger relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GhostEmperor relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Head Mare and Twelve relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
IronHusky relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Jewelbug relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KAWA4096 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LeakNet relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ELF Backdoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Megazord usesFamily The MITRE Corporation Confidence 100
[Megazord](https://attack.mitre.org/software/S1191) is a Rust-based variant of [Akira](https://attack.mitre.org/software/S1129) ransomware that has been in use since at least August 2023 to target Windows environments. [Megazord](https://attack.mitre.org/software/S1191) has been attributed to the…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Atharvan usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Deed RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Latrodectus usesThe MITRE Corporation Confidence 100
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Zox usesFamily The MITRE Corporation Confidence 100
[Zox](https://attack.mitre.org/software/S0672) is a remote access tool that has been used by [Axiom](https://attack.mitre.org/groups/G0001) since at least 2008.(Citation: Novetta-Axiom)
First seen 01/01/1970 · Last seen 16/11/5138 · -
MysterySnail RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HELLOKITTY - S0617 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
zwShell usesFamily The MITRE Corporation Confidence 100
[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Charon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PEAKLIGHT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
11 MITREs 53 Observables
-
5 CVEs 7 MITREs 1 Malware 2 Observables 1 APT
-
12 MITREs 1 Malware 2 Observables 1 APT
-
18 MITREs 12 Observables
-
13 MITREs 1 APT
-
15 MITREs
-
11 MITREs 1 Malware 1 APT
-
14 MITREs 1 Malware 12 Observables
-
4 CVEs 4 MITREs 2 Malwares 25 Observables 1 APT
-
10 MITREs 1 Malware 11 Observables 1 APT
-
15 MITREs 1 Malware 2 Observables
-
9 MITREs 5 Malwares 2 Observables 1 APT
Vulnerabilities (CVE) (75)
A code injection vulnerability in the User Portal and Webadmin of Sophos Firewall allows for remote code execution.
- Attack vector
- Network
- Published
- 23/09/2022
- Modified
- 27/05/2026
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated …
- Published
- 28/01/2026
- Modified
- 29/01/2026
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 21/12/2025
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized …
- Attack vector
- Network
- Published
- 05/02/2024
- Modified
- 14/01/2026
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.
- Published
- 10/01/2022
- Modified
- 20/12/2025
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 11/04/2022
- Modified
- 20/12/2025
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 11/04/2022
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.
- Attack vector
- NETWORK
- Published
- 08/10/2024
- Modified
- 21/12/2025
Privilege Escalation to root administrator (nsroot)
- Attack vector
- ADJACENT_NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within …
- Attack vector
- Network
- Published
- 22/08/2023
- Modified
- 27/05/2026
Tool (1)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
Campaign (1)
-
2016 Ukraine Electric Power Attack uses
Course Of Action (1)
-
Filter Network Traffic mitigates