| GEN:SID | 1:532 |
| Message | NETBIOS SMB ADMIN$ share access |
| Summary | This event is generated when an attempt is made to access an administrative share on a Windows machine.
|
| Impact | Serious. Possible administrator access on the victim machine.
|
| Detailed Information | This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB.
This is a poor security practice or an indication that a machine is being accessed remotely.
|
| Affected Systems | Windows 9x Windows 2000 Windows XP
|
| Attack Scenarios | |
| Ease of Attack | Simple
|
| Corrective Action | Use a packet filtering firewall to disallow Netbios access from the unprotected network.
|
| Additional References | |