FalconFriday —Monitoring for public shares — 0xFF1A

Post-Image

FalconFriday —Monitoring for public shares — 0xFF1A

In this blog we will explore the possibilities to use Microsoft Sentinel to monitor a Windows environment for the creation of public SMB shares. Shares accessible to the entire domain including users, service accounts and computer accounts. The objective is to try preventing accidental information leakage, vulnerabilities or other abuse through inappropriate share permissions.

During our red teaming projects we often find sensitive data on shares that are open to a large audience in the organization. For example, they may be shared with the built-in group ‘Everyone’, which includes all ‘Authenticated Users’ (i.e., everyone and everything that is authenticated to the Windows domain); basically exposing the information in the share to the entire organization.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-monitoring-for-public-shares-0xff1a-ece14fe137e1

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday