![dosvc delivery optimization dosvc delivery optimization](https://2pintsoftware.com/wp-content/uploads/1-500x383.png)
So I started to check the source computers. We had bunch of these alerts from a lot of different source computers and we found nothing suspicious besides these ATA alerts. Getting worse and worse…Īs bad it looked, something just didn’t match. On the top of that such alert indicates successful connections.
![dosvc delivery optimization dosvc delivery optimization](https://techgenix.com/tgwordpress/wp-content/uploads/2021/05/Delivery-Optimization-2-1024x714.jpg)
Someone might run SMB auth sweeps on the network. A lot of SMB connections from a single computer to several others. If you are familiar with pen testing and SMB auth probes, most probably this is the last thing you want to see. Pay attention to that listing though! In every single case the remote host was accessed via CIFS (445/tcp). As you can see on the screenshot above, we had 123 computers just for that single alert. Except for the fact that in most cases there are a lots of them. If you are like me, you won’t find anything interesting among the computers. If you click on the link, you get the list of the accessed computers and the used protocols. The first thing you want check is those “abnormal resources”. So let’s say you received a Medium alert of this identity theft thinggy. The highs are different and should be investigated!! Everything in this post refers to the “Medium” alert. DISCLAIMER: this alert can be either a “High” or a “Medium” severity event. Let’s put the second one aside for a second – that’s a different story. Most of the alerts were either “Suspicion of identity theft based on abnormal behavior” or “Reconnaissance using directory services enumeration”. However we started to receive bunch of them recently.
![dosvc delivery optimization dosvc delivery optimization](https://i2.wp.com/www.techwibe.com/wp-content/uploads/2017/10/word-image-7.png)
So ATA alerts have high priority on my list. I know what I used to be doing when pen testing internal networks and the alerts of this guy are pretty much aligned to those things. It seems to be a pretty good toy honestly. We started to use Microsoft Advanced Threat Analytics (ATA) couple of months ago.