SMB administrative shares are hidden shares Windows creates automatically on every machine: C$ (the C: drive), ADMIN$ (the Windows folder), and IPC$ (inter-process communication). They exist for remote administration and are accessible to local administrators over SMB (port 445). Attackers abuse them to copy tools, read or plant files, and execute code on remote hosts, the foundation under PsExec and similar tools. With a stolen password or NTLM hash for a local admin, they are a direct lateral-movement path.
What admin shares are
Windows automatically publishes hidden administrative shares (their names end in $):
- C$ maps to the entire C: drive.
- ADMIN$ maps to the Windows directory.
- IPC$ is used for inter-process communication and named pipes.
They are intended for remote administration and are restricted to local administrators, reachable over SMB (445). The same access that helps IT manage machines remotely gives an attacker who holds admin credentials a way in.
The abuse and payload
With local-admin credentials or a hash for the target, the attacker uses the shares to move and execute:
- Browse or copy:
smbclient //10.0.0.5/C$ -U corp/userorcopy payload.exe \\10.0.0.5\C$\Windows\Temp\ - Map a share:
net use \\10.0.0.5\ADMIN$ /user:corp\user Password1 - Execute via SMB without a service:
smbexec.py corp.local/user:Password1@10.0.0.5(Impacket) - PsExec and smbexec rely on ADMIN$ and IPC$ to drop and run code.
Documented techniques shown for defenders.
How to defend
- Limit local-administrator rights and use LAPS so one stolen hash does not unlock every machine.
- Segment SMB (445) so workstations cannot reach each other’s admin shares.
- Enable SMB signing and reduce NTLM to blunt Pass-the-Hash.
- Monitor for access to C$/ADMIN$ from unusual sources and for files written to Windows\Temp via SMB.
- Consider host firewalls blocking inbound 445 except from management hosts.