Possible Distributed File System Namespace Management (DFSNM) abuse

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

High

Description

A possible abuse of Distributed File System Namespace Management (DFSNM).

Attacker's Goals

  • An attacker can abuse the Distributed File System Namespace Management protocol to coerce an authentication from a DC.
  • This authentication can later be used for obtaining a DC certificate for DCSync.

Investigative actions

  • Check for a suspicious process on the initiator.
  • Check if the source host is a vulnerability scanner.
  • Look for unusual AD CS certificate requests.
  • Check for possible DCSync alerts.