We started to use Microsoft Advanced Threat Analytics (ATA) couple of months ago. It seems to be a pretty good toy honestly. I know what I used to be doing when pen testing internal networks and the alerts of this guy are pretty much aligned to those things. So ATA alerts have high priority on my list. However we started to receive bunch of them recently. Most of the alerts were either “Suspicion of identity theft based on abnormal behavior” or “Reconnaissance using directory services enumeration”. Let’s put the second one aside for a second – that’s a different story. The first though bugged me a lot. DISCLAIMER: this alert can be either a “High” or a “Medium” severity event. Everything in this post refers to the “Medium” alert. The highs are different and should be investigated!!
So let’s say you received a Medium alert of this identity theft thinggy. It should be something like this:
The first thing you want check is those “abnormal resources”. If you click on the link, you get the list of the accessed computers and the used protocols. If you are like me, you won’t find anything interesting among the computers. Except for the fact that in most cases there are a lots of them. As you can see on the screenshot above, we had 123 computers just for that single alert. Pay attention to that listing though! In every single case the remote host was accessed via CIFS (445/tcp).
If you are familiar with pen testing and SMB auth probes, most probably this is the last thing you want to see. A lot of SMB connections from a single computer to several others. Someone might run SMB auth sweeps on the network. On the top of that such alert indicates successful connections. Getting worse and worse…
As bad it looked, something just didn’t match. We had bunch of these alerts from a lot of different source computers and we found nothing suspicious besides these ATA alerts. So I started to check the source computers. I didn’t now what I was looking for. My first though was that it’s an application doing some weird crap. So the plan was to collect all the computers and ask desktop support to help me find something in common. While I was collecting the computers I realized all of the were Windows 10. This was no surprise as we were rolling out Win10 like crazy. However I also knew that our other division was still on Windows 7 and they saw no such alerts. Okay… so maybe it’s something with Win10, right? After searching a bit, it hit me.. crap.. it was so obvious (after I found it :)). This is the new feature of Windows 10 called Delivery Optimization. If you are not familiar with this feature, it’s basically peer2peer Windows updates. Yep, your Windows 10 can download updates from other computers. You can find a short summary of this feature here: https://privacy.microsoft.com/en-us/windows-10-windows-update-delivery-optimization
As I understand Delivery Optimization Service (DoSvc) uses dedicated ports (TCP listener on port 7680 and a UDP receiver on port 3544), however the peer discovery method uses 445/tcp, which kinda makes sense. At least this is my best guess so far, still need to do some testing.
If you want some additional details and want to look under the hood: http://windowsitpro.com/windows-10/how-does-delivery-optimization-windows-10-work
And finally, if you want to learn how to control WUDO: https://www.ghacks.net/2016/08/17/windows-10-update-delivery-optimization/