Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
7 Days |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Use Alternate Authentication Material: Pass the Hash (T1550.002) |
Severity |
Low |
Description
A domain controller has initiated an SMB connection to another host. The domain controllers usually communicate over SMB only with other domain controllers. An attacker can abuse such sessions for relay attacks.
Attacker's Goals
An attacker is attempting to steal credentials and move laterally within a network.
Investigative actions
- Check if the destination is domain controller, if it is, exclude it.
- Look for earlier connections to the DC which may cause it to initiate the session.