Administrative shares
Another often overlooked attack vector is the use of administrative shares. Some ransomware variants will attempt to use administrative or hidden network shares. For instance, many ransomware attackers use Invoke-ShareFinder in combination with administrative shares with a privileged account to try and find sensitive information, as mentioned in this Digital Forensics and Incident Response (DFIR) report with a case carried out by Emotet: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/.
Note
Disabling administrative shares on servers, particularly Domain Controllers (DCs), can have a significant impact on the functionality and operation of systems within a domain-based environment. Therefore, it is important to proceed with caution if you plan to disable this feature. Furthermore, if PsExec is being used in your environment, disabling the admin (ADMIN$) share may limit the functionality of this software...
