T1021.002: T1021.002
Essential information
- MITRE technique ID
T1021.002- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:25
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
SMB/Windows Admin Shares
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | lateral-movement |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
The MITRE Corporation Confidence 100
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
HelloKitty usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Paper Werewolf usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sarcoma Ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli…
First seen 01/01/1970 · Last seen 16/11/5138 · -
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Chimera usesThe MITRE Corporation Confidence 100
[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Jumpy Pisces usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL-STA-0048 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-2697 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (71)
-
LockBit usesFamily
-
ELF Backdoor usesFamily
-
Megazord usesFamily
-
Atharvan usesFamily
-
Deed RAT usesFamily
-
Latrodectus usesFamily
-
Zox uses
-
MysterySnail RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HELLOKITTY - S0617 usesFamily
-
zwShell uses
-
Charon usesFamily
-
PEAKLIGHT usesFamily
Reports (50)
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
AlienVault Confidence 100 4 CVEs 19 MITREs 4 Malwares 25 IOCs 25 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 1 CVE 23 MITREs 6 Malwares 32 IOCs 32 Observables
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Vulnerabilities (CVE) (75)
An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in …
- Attack vector
- Network
- Published
- 09/09/2024
- Modified
- 21/12/2025
Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …
- Attack vector
- NETWORK
- Published
- 21/07/2025
- Modified
- 21/12/2025
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox …
- Published
- 09/06/2026
- Modified
- 09/06/2026
Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would …
- Attack vector
- Network
- Published
- 23/09/2025
- Modified
- 12/03/2026
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread …
- Attack vector
- Network
- Published
- 10/07/2025
- Modified
- 21/12/2025
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 13/05/2026
- Modified
- 10/06/2026
Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If …
- Attack vector
- Network
- Published
- 19/09/2024
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to …
- Attack vector
- Network
- Published
- 18/11/2024
- Modified
- 21/12/2025
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized …
- Attack vector
- Network
- Published
- 05/02/2024
- Modified
- 14/01/2026
Tool (1)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
Campaign (1)
-
2016 Ukraine Electric Power Attack uses
Course Of Action (1)
-
Filter Network Traffic mitigates