Suspicious SMB connection from domain controller

Cortex XDR Analytics Alert Reference by data source
Last date published
2024-04-15
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent
      OR
    • Third-Party Firewalls

Detection Modules

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Use Alternate Authentication Material: Pass the Hash (T1550.002)

Severity

Low

Description

A domain controller has initiated an SMB connection to another host. The domain controllers usually communicate over SMB only with other domain controllers. An attacker can abuse such sessions for relay attacks.

Attacker's Goals

An attacker is attempting to steal credentials and move laterally within a network.

Investigative actions

  • Check if the destination is domain controller, if it is, exclude it.
  • Look for earlier connections to the DC which may cause it to initiate the session.