Home

New preview detection: Data exfiltration over SMB

%3CLINGO-SUB%20id%3D%22lingo-sub-319280%22%20slang%3D%22en-US%22%3ENew%20preview%20detection%3A%20Data%20exfiltration%20over%20SMB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319280%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDomain%20controllers%20hold%20the%20most%20sensitive%20organizational%20data.%20For%20most%20attackers%20one%20of%20their%20top%20priorities%20is%20to%20gain%20access%20to%20the%20domain%20controllers%20and%20steal%20your%20most%20sensitive%20data.%20For%20example%20exfiltration%20of%20the%20Ntds.dit%20file%2C%20stored%20on%20the%20DC%2C%20allows%20an%20attacker%20to%20forge%26nbsp%3BKerberos%20ticket%20granting%20tickets(TGT)%20that%20provide%20authorization%20to%20any%20resource%2C%20and%20set%20the%20ticket%20expiration%20to%20any%20arbitrary%20time.%20An%20Azure%20ATP%20alert%20is%20triggered%20when%20suspicious%20transfers%20of%20data%20over%20SMB%20are%20observed%20from%20domain%20controllers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20from%20Version%202.61%2C%20Azure%20ATP%20detects%20attempts%20at%20%3CSTRONG%3E%3CEM%3EData%20exfiltration%20over%20SMB%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20issue%20a%20security%20alert%20like%20the%20one%20shown%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStay%20tuned%20for%20additional%20alerts%20and%20updates.%20Your%20feedback%20is%20welcome!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20909px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F68761iA4036B446A166F45%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22smbexfiltration.png%22%20title%3D%22smbexfiltration.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Tali Ash
Microsoft

 

Domain controllers hold the most sensitive organizational data. For most attackers one of their top priorities is to gain access to the domain controllers and steal your most sensitive data. For example exfiltration of the Ntds.dit file, stored on the DC, allows an attacker to forge Kerberos ticket granting tickets(TGT) that provide authorization to any resource, and set the ticket expiration to any arbitrary time. An Azure ATP alert is triggered when suspicious transfers of data over SMB are observed from domain controllers.

 

Starting from Version 2.61, Azure ATP detects attempts at Data exfiltration over SMB and issue a security alert like the one shown below.

 

For more information visit https://aka.ms/atasaguide-smbexfiltration

Stay tuned for additional alerts and updates. Your feedback is welcome!

 

smbexfiltration.png

Related Conversations