SOLVED

1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

%3CLINGO-SUB%20id%3D%22lingo-sub-41805%22%20slang%3D%22en-US%22%3E1.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-41805%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20seeing%20a%20lot%20of%20%22Suspicious%20Activity%22%20in%20ATA%20relating%20to%20%22Reconnaissance%20using%20directory%20services%20enumeration%22%20from%20clients%20and%20servers.%3C%2FP%3E%3CP%3EI%20believe%20this%20was%20addressed%20in%20an%20earlier%20build%20of%201.7%2C%20am%20i%20safe%20to%20assume%20that%20these%20incidences%20are%20worthy%20of%20investigation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20Regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPete%20Holland%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-41805%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86796%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86796%22%20slang%3D%22en-US%22%3E%3CP%3EI%20genuinely%20haven't%20had%20time%20to%20track%20down%20what%20is%20causing%20the%20query%2Fcall%20to%20be%20performed.%3C%2FP%3E%3CP%3Ei'm%20hoping%20its%20probably%20something%20stupid%20like%20an%20address%20book%20plugin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-78252%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-78252%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EI'm%20familiar%20with%20a%20scenario%20where%20security%20scanners%20trigger%20these%20alerts%20but%20not%20admin%20tools.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%20-%20there%20could%20be%20a%203rd%20party%20tool%20which%20(for%20some%20reason)%20decided%20to%20use%20this%20specific%20RPC%20call.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHTH.%3C%2FP%3E%0A%3CP%3EBTW%20-%20In%20v.next%20we're%20adding%20a%20learning%20mechanism%20to%20avoid%20these%20exact%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-77046%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-77046%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHello%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20been%20receiving%20alerts%20for%20directory%20service%20enumeration%20and%20I%20was%20wondering%20if%20those%20were%20triggered%20from%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Elegitimate%20security%20solutions.%20When%20you%20refer%20to%20legitimate%20security%20solutions%20are%20you%20talking%20about%20tools%20for%20administration%3F%20Is%20there%20a%20reason%20for%20any%20other%20program%20to%20do%20directory%20service%20enumeration%20to%20pull%20all%20domain%20users%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EAndreas%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-45091%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-45091%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20were%20we.%20I%20do%20suggest%20you%20look%20into%20the%20solution%20generating%20those%20queries%20(more%20from%20an%20operational%20perspective).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-43799%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-43799%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Michael%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%20i%20had%20overlooked%20the%20actual%20activity%20required%20to%20disable%20this%20detection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20a%20technical%20standpoint%26nbsp%3BI%20am%20surprised%20that%20machines%20enumerate%20all%20AD%20objects%20quiet%20so%20often%2C%20or%20at%20all%2C%26nbsp%3Bi%20wouldnt%20have%20thought%20they%20would%20have%20a%20need%20to%20know%20of%20anything%20else%20in%20Active%20Directory%20until%20they%20need%20to%20interact%20with%20the%20object.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPete%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-42667%22%20slang%3D%22en-US%22%3ERe%3A%201.7.575.57477%20lots%20of%20%22Reconnaissance%20using%20directory%20service%20enumeration%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-42667%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3EAs%20you%20mentioned%20this%20is%20a%20known%20issue%20with%20ATA%201.7.%3CBR%20%2F%3EIn%20some%20cases%20this%20suspicious%20activity%20can%20be%20caused%20by%20legitimate%20security%20solutions%20running%20on%20endpoints%20and%20servers.%20With%20ATA%201.7%20Update%201%20we've%20introduced%20the%20ability%20to%20disable%20this%20detection%20in%20order%20to%20stop%20generating%20these%20alerts.%20However%20it%20requires%20an%20additional%20manual%20step%20after%20deploying%20ATA%201.7%20Update%201%2C%20which%20is%20decsribed%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3191777%2Fdescription-of-update-1-for-microsoft-advanced-threat-analytics-v1.7%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F3191777%2Fdescription-of-update-1-for-microsoft-advanced-threat-analytics-v1.7%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe're%20further%20adding%20clustering%20and%20other%20elemets%20to%20the%20detection%20logic%20in%20the%20upcoming%20release%20of%20ATA%20to%20improve%20the%20detection%20itself%20and%20automatically%20address%20this%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps!%3C%2FP%3E%0A%3CP%3EMichael.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

 

I am seeing a lot of "Suspicious Activity" in ATA relating to "Reconnaissance using directory services enumeration" from clients and servers.

I believe this was addressed in an earlier build of 1.7, am i safe to assume that these incidences are worthy of investigation?

 

Kind Regards

 

Pete Holland

6 Replies
Best Response confirmed by Peter Holland (Contributor)
Solution

Hi,

As you mentioned this is a known issue with ATA 1.7.
In some cases this suspicious activity can be caused by legitimate security solutions running on endpoints and servers. With ATA 1.7 Update 1 we've introduced the ability to disable this detection in order to stop generating these alerts. However it requires an additional manual step after deploying ATA 1.7 Update 1, which is decsribed at https://support.microsoft.com/en-us/help/3191777/description-of-update-1-for-microsoft-advanced-thre...

 

We're further adding clustering and other elemets to the detection logic in the upcoming release of ATA to improve the detection itself and automatically address this scenario.

 

Hope this helps!

Michael.

Highlighted

Hi Michael,

 

Many thanks, i had overlooked the actual activity required to disable this detection.

 

From a technical standpoint I am surprised that machines enumerate all AD objects quiet so often, or at all, i wouldnt have thought they would have a need to know of anything else in Active Directory until they need to interact with the object.

 

Kind regards

 

Pete

Highlighted

So were we. I do suggest you look into the solution generating those queries (more from an operational perspective). 

Highlighted

Hello,

We have been receiving alerts for directory service enumeration and I was wondering if those were triggered from legitimate security solutions. When you refer to legitimate security solutions are you talking about tools for administration? Is there a reason for any other program to do directory service enumeration to pull all domain users? 

Andreas

Highlighted

Hi,

I'm familiar with a scenario where security scanners trigger these alerts but not admin tools. 

However - there could be a 3rd party tool which (for some reason) decided to use this specific RPC call. 

 

HTH.

BTW - In v.next we're adding a learning mechanism to avoid these exact scenarios.

Highlighted

I genuinely haven't had time to track down what is causing the query/call to be performed.

i'm hoping its probably something stupid like an address book plugin