Account enumeration reconnaissance from an unresolved computer.

Hi, we are getting an alert about account enumeration reconnaissance on our network. It says "an actor on MSTSC performed suspicious account enumeration exposing 2 existing account names." This enume...

EliOfek
Apr 18, 2019
It happens if the connection was attempted via RDP.

It's a protocol limitation, in the NTLM event, this is what the protocol is putting in the machine name field, and there is no IP address in this event.

I think this post can give hints on it:

https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Azure-ATP-Unresolved-Entity/m-p/252724?advanced=false&collapse_discussion=true&filter=location&location=forum-board:AzureAdvancedThreatProtection&q=MSTSC&search_type=thread

EliOfek

Microsoft

Apr 18, 2019

It happens if the connection was attempted via RDP.

It's a protocol limitation, in the NTLM event, this is what the protocol is putting in the machine name field, and there is no IP address in this event.

I think this post can give hints on it:

https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Azure-ATP-Unresolved-Entity/m-p/252724?advanced=false&collapse_discussion=true&filter=location&location=forum-board:AzureAdvancedThreatProtection&q=MSTSC&search_type=thread

blurn
Copper Contributor
Apr 18, 2019
EliOfek understood. Thank you for including that link. I am trying that now.

Forum Discussion

Account enumeration reconnaissance from an unresolved computer.

Resources