Home

New preview detection: Data exfiltration over SMB

%3CLINGO-SUB%20id%3D%22lingo-sub-319280%22%20slang%3D%22en-US%22%3ENew%20preview%20detection%3A%20Data%20exfiltration%20over%20SMB%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-319280%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDomain%20controllers%20hold%20the%20most%20sensitive%20organizational%20data.%20For%20most%20attackers%20one%20of%20their%20top%20priorities%20is%20to%20gain%20access%20to%20the%20domain%20controllers%20and%20steal%20your%20most%20sensitive%20data.%20For%20example%20exfiltration%20of%20the%20Ntds.dit%20file%2C%20stored%20on%20the%20DC%2C%20allows%20an%20attacker%20to%20forge%26nbsp%3BKerberos%20ticket%20granting%20tickets(TGT)%20that%20provide%20authorization%20to%20any%20resource%2C%20and%20set%20the%20ticket%20expiration%20to%20any%20arbitrary%20time.%20An%20Azure%20ATP%20alert%20is%20triggered%20when%20suspicious%20transfers%20of%20data%20over%20SMB%20are%20observed%20from%20domain%20controllers.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20from%20Version%202.61%2C%20Azure%20ATP%20detects%20attempts%20at%20%3CSTRONG%3E%3CEM%3EData%20exfiltration%20over%20SMB%3C%2FEM%3E%3C%2FSTRONG%3E%20and%20issue%20a%20security%20alert%20like%20the%20one%20shown%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fatasaguide-smbexfiltration%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EStay%20tuned%20for%20additional%20alerts%20and%20updates.%20Your%20feedback%20is%20welcome!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20909px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F68761iA4036B446A166F45%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22smbexfiltration.png%22%20title%3D%22smbexfiltration.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tali Ash
Microsoft

 

Domain controllers hold the most sensitive organizational data. For most attackers one of their top priorities is to gain access to the domain controllers and steal your most sensitive data. For example exfiltration of the Ntds.dit file, stored on the DC, allows an attacker to forge Kerberos ticket granting tickets(TGT) that provide authorization to any resource, and set the ticket expiration to any arbitrary time. An Azure ATP alert is triggered when suspicious transfers of data over SMB are observed from domain controllers.

 

Starting from Version 2.61, Azure ATP detects attempts at Data exfiltration over SMB and issue a security alert like the one shown below.

 

For more information visit https://aka.ms/atasaguide-smbexfiltration

Stay tuned for additional alerts and updates. Your feedback is welcome!

 

smbexfiltration.png

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
22 Replies
flashing a white screen while open new tab
cntvertex in Discussions on
13 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
28 Replies
PacketMon Components are not loading in WAC 1909
HotCakeX in Windows Admin Center on
2 Replies