Forum Discussion
MDI can't detect account ennumeration
hello evryone, It is typical for MDI to be unable to identify the following types of enumeration ? crackmapexec smb "DC IP Address" --users -u 'domainuser' -p 'Mypassword' crackmapexec smb...
For the first command, I'm not sure if cme uses the IPC$ names pipe for user enum or the SAM-R protocol, but if it's SAM-R then this should trigger an alert.
Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.
The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.
The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.
Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.
The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.
The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.