Forum Discussion
mehdimoujib
Jun 08, 2023Copper Contributor
MDI can't detect account ennumeration
hello evryone,
It is typical for MDI to be unable to identify the following types of enumeration ?
- crackmapexec smb "DC IP Address" --users -u 'domainuser' -p 'Mypassword'
- crackmapexec smb "DC IP Address" –pass-pol -u 'domainuser' -p 'Mypassword'
- net rpc group members 'Domain Admins' -I 'domain' -U '%'
Is there a way to prevent or fix this issue ?
Considering that we have completed all the simulated attack tests for MDI listed below with success:
https://learn.microsoft.com/en-us/defender-for-identity/playbooks
Thanks,
- thalpiusBrass ContributorFor the first command, I'm not sure if cme uses the IPC$ names pipe for user enum or the SAM-R protocol, but if it's SAM-R then this should trigger an alert.
Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.
The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.
The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.