cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Peter Holland
Contributor

‎Jan 26 2017 09:33 AM - last edited on ‎Nov 30 2021 08:57 AM by

‎Jan 26 2017 09:33 AM - last edited on ‎Nov 30 2021 08:57 AM by

1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Hi,

 

 

I am seeing a lot of "Suspicious Activity" in ATA relating to "Reconnaissance using directory services enumeration" from clients and servers.

I believe this was addressed in an earlier build of 1.7, am i safe to assume that these incidences are worthy of investigation?

 

Kind Regards

 

Pete Holland

5,456 Views
1 Like
6 Replies
Reply
6 Replies
best response confirmed by Peter Holland (Contributor)
Michael Dubinsky

‎Jan 31 2017 03:45 AM

‎Jan 31 2017 03:45 AM

Solution

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Hi,

As you mentioned this is a known issue with ATA 1.7.
In some cases this suspicious activity can be caused by legitimate security solutions running on endpoints and servers. With ATA 1.7 Update 1 we've introduced the ability to disable this detection in order to stop generating these alerts. However it requires an additional manual step after deploying ATA 1.7 Update 1, which is decsribed at https://support.microsoft.com/en-us/help/3191777/description-of-update-1-for-microsoft-advanced-thre...

 

We're further adding clustering and other elemets to the detection logic in the upcoming release of ATA to improve the detection itself and automatically address this scenario.

 

Hope this helps!

Michael.

0 Likes
Reply
Peter Holland

‎Feb 03 2017 05:44 AM

‎Feb 03 2017 05:44 AM

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Hi Michael,

 

Many thanks, i had overlooked the actual activity required to disable this detection.

 

From a technical standpoint I am surprised that machines enumerate all AD objects quiet so often, or at all, i wouldnt have thought they would have a need to know of anything else in Active Directory until they need to interact with the object.

 

Kind regards

 

Pete

0 Likes
Reply
Michael Dubinsky

‎Feb 09 2017 06:36 AM

‎Feb 09 2017 06:36 AM

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

So were we. I do suggest you look into the solution generating those queries (more from an operational perspective). 

0 Likes
Reply
Αντρέας Νικολάου

‎Jun 12 2017 04:49 AM

‎Jun 12 2017 04:49 AM

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Hello,

We have been receiving alerts for directory service enumeration and I was wondering if those were triggered from legitimate security solutions. When you refer to legitimate security solutions are you talking about tools for administration? Is there a reason for any other program to do directory service enumeration to pull all domain users? 

Andreas

0 Likes
Reply
Michael Dubinsky

‎Jun 15 2017 11:29 AM

‎Jun 15 2017 11:29 AM

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

Hi,

I'm familiar with a scenario where security scanners trigger these alerts but not admin tools. 

However - there could be a 3rd party tool which (for some reason) decided to use this specific RPC call. 

 

HTH.

BTW - In v.next we're adding a learning mechanism to avoid these exact scenarios.

1 Like
Reply
Peter Holland

‎Jul 12 2017 09:16 AM

‎Jul 12 2017 09:16 AM

Re: 1.7.575.57477 lots of "Reconnaissance using directory service enumeration"

I genuinely haven't had time to track down what is causing the query/call to be performed.

i'm hoping its probably something stupid like an address book plugin

0 Likes
Reply