4FC742E0-4A10-11CF-8273-00AA004AE673
dfssvc.exe(On Domain Controller)
- ncacn_np:
\\pipe\netdfs
-
Network:
-
Inbound network connection over port 445 to the
SystemProcess (PID=4) -
Connection over pipe
netdfs -
Methods:
NetrDfsRemoveStdRoot(potentially more, only tested method)
-
-
Host:
-
(Server Side):
-
Event ID 5156
-
Account Name: domain user
-
Object Type:
File -
Share Name:
\\*\IPC$ -
Relative Target Name:
netdfs -
Access Mask:
0x12019F -
Source Address: Address of where request is coming from. Good for context during investigation.
-
Accesses:
ReadData (or ListDirectory)WriteData (or AddFile)
-
Event ID 4624
- Logon Type:
3 - Account Name: domain user
- Process ID:
0x0 - Elevated Token:
Yes - Authentication Package: NTLM (by defualt of PoC, subject to change and could be Kerberos)
- Logon Type:
-
-
Join on LogonID for queries.
-
-
RPC Filter:
-
Example:
rpc filter add rule layer=um actiontype=permit add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673 add condition field=remote_user_token matchtype=equal data=D:(A;;CC;;;DA) add filter add rule layer=um actiontype=block add condition field=if_uuid matchtype=equal data=4FC742E0-4A10-11CF-8273-00AA004AE673 add filter quit -
This filter will only allow Domain Admins to communicate over interface
4FC742E0-4A10-11CF-8273-00AA004AE673.
-
-
Disable NTLM Authentication
-
Enable SMB signing
- The
DfsService is running by default on Domain Controllers, so it might break functionality to turn this service off or disable it. - If you don't want to assign DA's to this DACL, so it might be best to create a specific group to this action. Change DACL to leverage the group SID - like : D:(A;;CC;;;S-1-5-21-3637186843-3378876361-2759896766-2106).