Exciting detections update

%3CLINGO-SUB%20id%3D%22lingo-sub-335006%22%20slang%3D%22en-US%22%3EExciting%20detections%20update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-335006%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20part%20of%20Azure%20ATP's%26nbsp%3Bon-going%20mission%20to%20provide%20the%20best%26nbsp%3Bprotection%20and%20detection%20capabilities%20to%20your%20organization%2C%20we're%20thrilled%20to%20announce%20the%20record-speed%20release%20of%202%20new%20detection%20alerts%20to%20GA%20(general%20availability)%20and%20one%20new%20detection%20to%20Preview%20status%20with%20the%20release%20of%20update%202.65%20on%20Sunday.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20%3CSTRONG%3ESuspected%20NTLM%20relay%20attack%3C%2FSTRONG%3EPreview%20status%20alert%20is%20being%20released%20only%202%20weeks%20after%20the%20%3CA%20href%3D%22https%3A%2F%2Fdirkjanm.io%2Fabusing-exchange-one-api-call-away-from-domain-admin%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Etechnique%3C%2FA%3Ewas%20first%20discovered%20and%20published.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20two%20GA%20alerts%26nbsp%3Bfocus%20on%20possible%26nbsp%3Bexploitation%26nbsp%3Bof%26nbsp%3Brecently%20discovered%20vulnerabilities.%26nbsp%3B%3CSTRONG%3ERemote%20code%20execution%20over%20DNS%3C%2FSTRONG%3E%26nbsp%3B%3CSTRONG%3Ealert%3C%2FSTRONG%3E%26nbsp%3Bdetects%20attackers%20attempting%26nbsp%3Bto%20run%20code%20on%20a%20domain%20controller%20over%20DNS%20protocol%2C%20while%20the%20new%26nbsp%3B%3CSTRONG%3ESuspected%20NTLM%20relay%20attack%20(Exchange%20account)%20%E2%80%93%20Preview%20alert%3C%2FSTRONG%3E%26nbsp%3Bdetects%20attackers%20masquerading%26nbsp%3Bas%20an%20Exchange%20Sever%20to%20gain%20privileges%20in%20the%20environment.%26nbsp%3BThe%20%3CSTRONG%3EData%20exfiltration%20over%20SMB%20alert%3C%2FSTRONG%3Emoved%20into%20GA%20status%20as%20well.%20This%20alert%20focuses%20on%20suspicious%20attempts%20to%20exfiltrate%20data%20from%20your%20domain%20controllers%20over%20SMB%26nbsp%3B%20protocol.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsuspicious-activity-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20ATP%20docs%3C%2FA%3Erecent%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FHow-to-win-the-latest-security-race-over-NTLM-relay%2Fba-p%2F334511%22%20target%3D%22_blank%22%3Eblog%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%E2%80%99re%20always%20looking%20to%26nbsp%3Bways%20to%20continually%20improve%2C%20and%20we%20welcome%20your%26nbsp%3B%3CSTRONG%3Efeedback%3C%2FSTRONG%3E!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20886px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72819i335CDDEA5F409C44%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NTLMRelayLow.png%22%20title%3D%22NTLMRelayLow.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F72820iB19522514447EC77%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22NTLMRelayMedium.png%22%20title%3D%22NTLMRelayMedium.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-338403%22%20slang%3D%22en-US%22%3ERe%3A%20Exciting%20detections%20update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-338403%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20work%20shipping%20the%20NTLM%20Relay%20detection%20so%20quickly!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

As part of Azure ATP's on-going mission to provide the best protection and detection capabilities to your organization, we're thrilled to announce the record-speed release of 2 new detection alerts to GA (general availability) and one new detection to Preview status with the release of update 2.65 on Sunday. 

 

The new Suspected NTLM relay attack Preview status alert is being released only 2 weeks after the technique was first discovered and published.

 

The two GA alerts focus on possible exploitation of recently discovered vulnerabilities. Remote code execution over DNS alert detects attackers attempting to run code on a domain controller over DNS protocol, while the new Suspected NTLM relay attack (Exchange account) – Preview alert detects attackers masquerading as an Exchange Sever to gain privileges in the environment. The Data exfiltration over SMB alert moved into GA status as well. This alert focuses on suspicious attempts to exfiltrate data from your domain controllers over SMB  protocol. 

 

For more information visit Azure ATP docs recent blog.

 

We’re always looking to ways to continually improve, and we welcome your feedback!

 

NTLMRelayLow.pngNTLMRelayMedium.png

1 Reply
Highlighted

Great work shipping the NTLM Relay detection so quickly!