Home

New preview detection: Data exfiltration over SMB

%3CLINGO-SUB%20id%3D%22lingo-sub-319280%22%20slang%3D%22en-US%22%3ENew%20preview%20detection%3A%20Data%20exfiltration%20over%20SMB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319280%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDomain%20controllers%20hold%20the%20most%20sensitive%20organizational%20data.%20For%20most%20attackers%20one%20of%20their%20top%20priorities%20is%20to%20gain%20access%20to%20the%20domain%20controllers%20and%20steal%20your%20most%20sensitive%20data.%20For%20example%20exfiltration%20of%20the%20Ntds.dit%20file%2C%20stored%20on%20the%20DC%2C%20allows%20an%20attacker%20to%20forge%26nbsp%3BKerberos%20ticket%20granting%20tickets(TGT)%20that%20provide%20authorization%20to%20any%20resource%2C%20and%20set%20the%20ticket%20expiration%20to%20any%20arbitrary%20time.%20An%20Azure%20ATP%20alert%20is%20triggered%20when%20suspicious%20transfers%20of%20data%20over%20SMB%20are%20observed%20from%20domain%20controllers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20from%20Version%202.61%2C%20Azure%20ATP%20detects%20attempts%20at%20%3CSTRONG%3E%3CEM%3EData%20exfiltration%20over%20SMB%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20issue%20a%20security%20alert%20like%20the%20one%20shown%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStay%20tuned%20for%20additional%20alerts%20and%20updates.%20Your%20feedback%20is%20welcome!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20909px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F68761iA4036B446A166F45%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22smbexfiltration.png%22%20title%3D%22smbexfiltration.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Tali Ash
Microsoft

 

Domain controllers hold the most sensitive organizational data. For most attackers one of their top priorities is to gain access to the domain controllers and steal your most sensitive data. For example exfiltration of the Ntds.dit file, stored on the DC, allows an attacker to forge Kerberos ticket granting tickets(TGT) that provide authorization to any resource, and set the ticket expiration to any arbitrary time. An Azure ATP alert is triggered when suspicious transfers of data over SMB are observed from domain controllers.

 

Starting from Version 2.61, Azure ATP detects attempts at Data exfiltration over SMB and issue a security alert like the one shown below.

 

For more information visit https://aka.ms/atasaguide-smbexfiltration

Stay tuned for additional alerts and updates. Your feedback is welcome!

 

smbexfiltration.png

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
Edge insider Dev bypasses IE mode website list
HotCakeX in Enterprise on
4 Replies