Forum Discussion

mehdimoujib's avatar
mehdimoujib
Copper Contributor
Jun 08, 2023

MDI can't detect account ennumeration

hello evryone,

 

It is typical for MDI to be unable to identify the following types of enumeration ?

 

  • crackmapexec smb "DC IP Address" --users -u 'domainuser' -p 'Mypassword' 
  • crackmapexec smb "DC IP Address" –pass-pol -u 'domainuser' -p 'Mypassword'
  • net rpc group members 'Domain Admins'  -I 'domain' -U '%' 

Is there a way to prevent or fix this issue ?

 

Considering that we have completed all the simulated attack tests for MDI listed below with success:

 

https://learn.microsoft.com/en-us/defender-for-identity/playbooks

 

 

Thanks,

 

 

 
  • thalpius's avatar
    thalpius
    Brass Contributor
    For the first command, I'm not sure if cme uses the IPC$ names pipe for user enum or the SAM-R protocol, but if it's SAM-R then this should trigger an alert.

    Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.

    The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.

    The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.

Resources