Forum Discussion
Reconnaissance using account enumeration - how to troubleshoot
Hello,
I have a new install of ATA on 6 DC's. 2 DC's are in Azure space for our AD Connect sync/ADFS. Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?
Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2). The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).
I have read this https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guideBut still need some assistance to identify if this is malicious or not.
- Total accounts guessed = 1012
- Existing accounts found = 27 (many of these are disabled user accounts)
- Non-existing accounts guessed = 984
Of the non-existing account I would guess about 1/2 of them are old or disabled accounts. The other 1/2 appear to be guesses (IE: morse54@myCo.com, rios035@myCo.com, lkgxgaiztcetlq@myCo.com).
For the accounts that were found and enabled. I do see bad password attempts but are hours appart. Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?
Thanks, any tips or comments is appreciated.
5 Replies
DrewP2400 I have also this issue did you solve it???
DrewP2400 The accounts that have been uncovered, are they on https://haveibeenpwned.com/ ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection Are you already using Azure MFA?
Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":
Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.
