SOLVED

Account enumeration reconnaissance from an unresolved computer.

%3CLINGO-SUB%20id%3D%22lingo-sub-472054%22%20slang%3D%22en-US%22%3EAccount%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-472054%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20we%20are%20getting%20an%20alert%20about%20a%3CSPAN%3Eccount%20enumeration%20reconnaissance%20on%20our%20network.%20It%20says%20%22an%20actor%20on%20MSTSC%20performed%20suspicious%20account%20enumeration%20exposing%202%20existing%20account%20names.%22%20This%20enumeration%20included%20379%2C129%20guess%20attempts.%20Because%26nbsp%3Bof%20that%20being%20such%20a%20high%20number%2C%20I%20decided%20to%20further%20investigate%20this.%20When%20viewing%20details%20of%20the%20%22MSTSC%22%20computer%2C%20it%20has%20an%20unresolved%20tag%3A%20%22This%20user%2Fcomputer%2Fgroup%20was%20not%20synced%20from%20the%20domain%2C%20and%20was%20partially%20resolved%20via%20a%20global%20catalog.%20Some%20attributes%20are%20not%20available%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBecause%20of%20that%2C%20I%20am%20not%20sure%20how%20to%20investigate%20where%20this%26nbsp%3Breconnaissance%20is%20originating%20from.%20There%20are%20no%20IP%20addresses%20associated%20with%20the%20%22MSTSC%22%20object.%20We%20also%20do%20not%20have%20any%20DNS%20entries%20or%20AD%20computers%20with%20the%20name%20%22MSTSC%22.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20tips%20on%20figuring%20out%20what%20the%20MSTSC%20object%20actually%26nbsp%3Bis%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-472082%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-472082%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20happens%20if%20the%20connection%20was%20attempted%20via%20RDP.%3C%2FP%3E%0A%3CP%3EIt's%20a%20protocol%20limitation%2C%26nbsp%3B%20in%20the%20NTLM%20event%2C%20this%20is%20what%20the%20protocol%20is%20putting%20in%20the%20machine%20name%20field%2C%20and%20there%20is%20no%20IP%20address%20in%20this%20event.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20this%20post%20can%20give%20hints%20on%20it%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Advanced-Threat-Protection%2FAzure-ATP-Unresolved-Entity%2Fm-p%2F252724%3Fadvanced%3Dfalse%26amp%3Bcollapse_discussion%3Dtrue%26amp%3Bfilter%3Dlocation%26amp%3Blocation%3Dforum-board%3AAzureAdvancedThreatProtection%26amp%3Bq%3DMSTSC%26amp%3Bsearch_type%3Dthread%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Advanced-Threat-Protection%2FAzure-ATP-Unresolved-Entity%2Fm-p%2F252724%3Fadvanced%3Dfalse%26amp%3Bcollapse_discussion%3Dtrue%26amp%3Bfilter%3Dlocation%26amp%3Blocation%3Dforum-board%3AAzureAdvancedThreatProtection%26amp%3Bq%3DMSTSC%26amp%3Bsearch_type%3Dthread%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-472239%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-472239%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3Bunderstood.%20Thank%20you%20for%20including%20that%20link.%20I%20am%20trying%20that%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-480929%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-480929%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323460%22%20target%3D%22_blank%22%3E%40blurn%3C%2FA%3E%2C%20feel%20free%20to%20let%20us%20know%20if%20you%20run%20into%20issues%20but%20that%20was%20how%20we%20resolved%20it%20when%20I%20saw%20something%20similar%20last%20year.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20some%20ways%20it's%20a%20bit%20disappointing%20that%20this%20hasn't%20improved%20in%20the%20Azure%20ATP%20product%20in%20almost%20a%20year%3F%20The%20fact%20is%20that%20this%20should%20clearly%20indicate%20it's%20an%20RDP%20session%20at%20the%20very%20least%20-%20and%20I'm%20surprised%20that%20they%20can't%20at%20least%20add%20the%20logic%20to%20be%20able%20to%20finger%20the%20IP%2FDNS%20of%20where%20the%20RDP%20session%20login%20is%20originating%20from%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%20Dave%20C%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-486573%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-486573%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3Bthank%20you!%20It%20took%20a%20few%20days%20for%20the%20authentication%20attempts%20to%20reach%20the%20DC%20I%20enabled%20debugging%20on%20---%20we%20have%205%20DCs.%20Once%20the%20attempts%20were%20logged%2C%20I%20tracked%20down%20the%20server%20they%20were%20using%20as%20an%20entry%20point.%20RDP%20was%20being%20allowed%20on%20an%20external%20interface%20on%20that%20server.%20RDP%20is%20only%20allowed%20on%20the%20management%20adapter%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EIn%20some%20ways%20it's%20a%20bit%20disappointing%20that%20this%20hasn't%20improved%20in%20the%20Azure%20ATP%20product%20in%20almost%20a%20year%3F%20The%20fact%20is%20that%20this%20should%20clearly%20indicate%20it's%20an%20RDP%20session%20at%20the%20very%20least%20-%20and%20I'm%20surprised%20that%20they%20can't%20at%20least%20add%20the%20logic%20to%20be%20able%20to%20finger%20the%20IP%2FDNS%20of%20where%20the%20RDP%20session%20login%20is%20originating%20from%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20everything%20you%20said%20above.%20That%20being%20said%2C%20we%20recently%20changed%20our%20licensing%20to%20A5%20and%20gained%20access%20to%20Azure%20ATP%20and%20Windows%20Defender%20ATP.%20Without%20Azure%20ATP%2C%20I%20don't%20think%20I%20would%20have%20been%20notified%20of%20an%20issue%20at%20all.%20It%20might%20have%20been%20something%20I%20found%20when%20looking%20through%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20a%20mixed%20bag%20for%20me.%20I%20really%20like%20the%20product...%20but%20surely%20there%20should%20be%20a%20way%20to%20find%20where%20the%20attempts%20are%20originating%20from.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20I%20found%20humorous%20was%20that%20the%20most%20recent%20attack%20was%20labeled%20like%20this%3A%20%22%3CSPAN%3EAn%20actor%20on%20KIEVSERVER%20performed%20suspicious%20account%20enumeration%20without%20successfully%20exposing%20any%20accounts.%22%20Maybe%20the%20attackers%20are%20naming%20their%20servers%20%22MSTSC%22%20and%20%22WORKSTATION%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-488413%22%20slang%3D%22en-US%22%3ERe%3A%20Account%20enumeration%20reconnaissance%20from%20an%20unresolved%20computer.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-488413%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323460%22%20target%3D%22_blank%22%3E%40blurn%3C%2FA%3E%26nbsp%3BGlad%20to%20help%20%2B%20thanks%20for%20confirming%20those%20steps%20helped%20you%20resolve%20the%20issue.%3C%2FP%3E%3CP%3EWhen%20we%20resolved%20this%20as%20we%20did%20we%20didn't%20have%20Defender%20ATP%20to%20check%20against%2C%20and%20now%20that%20we%20are%20getting%20closer%20to%20having%20Automated%20responses%20this%20is%20something%20that%20I'd%20look%20to%20build%20out%20on%20-%20although%20having%20said%20that%20I'm%20guessing%20this%20is%20not%20that%20common%20a%20scenario%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20that%20we%20are%20a%20year%20on%20there%20is%20MCAS%20can%20tap%20into%20Flow%2C%20Defender%20ATP%20has%20just%20announced%20Vulnerability%20scanning%2C%20and%20Playbooks%20are%20available%20in%20Sentinel%20-%20so%20I%20can%20see%20that%20most%20of%20this%20area%20is%20filling%20out%20and%20maturing%20quite%20quickly%20-%20if%20you%20are%20now%20on%20A5%20I%20would%20push%20hard%20to%20get%20the%20three%20flavours%20of%20ATP%20%26amp%3B%20MCAS%20deployed%20ASAP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20also%20assuming%20that%20you%20have%20Azure%20MFA%20%2B%20Conditional%20Access%20enabled%20for%20ALL%20Staff%20and%20Students%3F%20-%20if%20not%20let's%20have%20a%20quick%20chat%20as%20I'd%20be%20happy%20to%20help%20with%20some%20details%20that%20we%20used%20with%20a%20University%20late%20last%20year%20that%20can%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20a%20great%20weekend%3C%2FP%3E%3CP%3EDave%20C%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F323460%22%20target%3D%22_blank%22%3E%40blurn%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3Bthank%20you!%20It%20took%20a%20few%20days%20for%20the%20authentication%20attempts%20to%20reach%20the%20DC%20I%20enabled%20debugging%20on%20---%20we%20have%205%20DCs.%20Once%20the%20attempts%20were%20logged%2C%20I%20tracked%20down%20the%20server%20they%20were%20using%20as%20an%20entry%20point.%20RDP%20was%20being%20allowed%20on%20an%20external%20interface%20on%20that%20server.%20RDP%20is%20only%20allowed%20on%20the%20management%20adapter%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EIn%20some%20ways%20it's%20a%20bit%20disappointing%20that%20this%20hasn't%20improved%20in%20the%20Azure%20ATP%20product%20in%20almost%20a%20year%3F%20The%20fact%20is%20that%20this%20should%20clearly%20indicate%20it's%20an%20RDP%20session%20at%20the%20very%20least%20-%20and%20I'm%20surprised%20that%20they%20can't%20at%20least%20add%20the%20logic%20to%20be%20able%20to%20finger%20the%20IP%2FDNS%20of%20where%20the%20RDP%20session%20login%20is%20originating%20from%3F%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%20with%20everything%20you%20said%20above.%20That%20being%20said%2C%20we%20recently%20changed%20our%20licensing%20to%20A5%20and%20gained%20access%20to%20Azure%20ATP%20and%20Windows%20Defender%20ATP.%20Without%20Azure%20ATP%2C%20I%20don't%20think%20I%20would%20have%20been%20notified%20of%20an%20issue%20at%20all.%20It%20might%20have%20been%20something%20I%20found%20when%20looking%20through%20logs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIts%20a%20mixed%20bag%20for%20me.%20I%20really%20like%20the%20product...%20but%20surely%20there%20should%20be%20a%20way%20to%20find%20where%20the%20attempts%20are%20originating%20from.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20I%20found%20humorous%20was%20that%20the%20most%20recent%20attack%20was%20labeled%20like%20this%3A%20%22%3CSPAN%3EAn%20actor%20on%20KIEVSERVER%20performed%20suspicious%20account%20enumeration%20without%20successfully%20exposing%20any%20accounts.%22%20Maybe%20the%20attackers%20are%20naming%20their%20servers%20%22MSTSC%22%20and%20%22WORKSTATION%22%3F%3C%2FSPAN%3E%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi, we are getting an alert about account enumeration reconnaissance on our network. It says "an actor on MSTSC performed suspicious account enumeration exposing 2 existing account names." This enumeration included 379,129 guess attempts. Because of that being such a high number, I decided to further investigate this. When viewing details of the "MSTSC" computer, it has an unresolved tag: "This user/computer/group was not synced from the domain, and was partially resolved via a global catalog. Some attributes are not available"

 

Because of that, I am not sure how to investigate where this reconnaissance is originating from. There are no IP addresses associated with the "MSTSC" object. We also do not have any DNS entries or AD computers with the name "MSTSC".

 

Any tips on figuring out what the MSTSC object actually is?

5 Replies
Highlighted
Best Response confirmed by blurn (Occasional Contributor)
Solution

It happens if the connection was attempted via RDP.

It's a protocol limitation,  in the NTLM event, this is what the protocol is putting in the machine name field, and there is no IP address in this event.

 

I think this post can give hints on it:

https://techcommunity.microsoft.com/t5/Azure-Advanced-Threat-Protection/Azure-ATP-Unresolved-Entity/...

 

Highlighted

@Eli Ofek understood. Thank you for including that link. I am trying that now.

Highlighted

Hi @blurn, feel free to let us know if you run into issues but that was how we resolved it when I saw something similar last year.

 

In some ways it's a bit disappointing that this hasn't improved in the Azure ATP product in almost a year? The fact is that this should clearly indicate it's an RDP session at the very least - and I'm surprised that they can't at least add the logic to be able to finger the IP/DNS of where the RDP session login is originating from?

 

Regards, Dave C  

Highlighted

@David Caddick thank you! It took a few days for the authentication attempts to reach the DC I enabled debugging on --- we have 5 DCs. Once the attempts were logged, I tracked down the server they were using as an entry point. RDP was being allowed on an external interface on that server. RDP is only allowed on the management adapter now.

 

In some ways it's a bit disappointing that this hasn't improved in the Azure ATP product in almost a year? The fact is that this should clearly indicate it's an RDP session at the very least - and I'm surprised that they can't at least add the logic to be able to finger the IP/DNS of where the RDP session login is originating from? 

 

I agree with everything you said above. That being said, we recently changed our licensing to A5 and gained access to Azure ATP and Windows Defender ATP. Without Azure ATP, I don't think I would have been notified of an issue at all. It might have been something I found when looking through logs.

 

Its a mixed bag for me. I really like the product... but surely there should be a way to find where the attempts are originating from.

 

Something I found humorous was that the most recent attack was labeled like this: "An actor on KIEVSERVER performed suspicious account enumeration without successfully exposing any accounts." Maybe the attackers are naming their servers "MSTSC" and "WORKSTATION"?

Highlighted

@blurn Glad to help + thanks for confirming those steps helped you resolve the issue.

When we resolved this as we did we didn't have Defender ATP to check against, and now that we are getting closer to having Automated responses this is something that I'd look to build out on - although having said that I'm guessing this is not that common a scenario? 

 

Now that we are a year on there is MCAS can tap into Flow, Defender ATP has just announced Vulnerability scanning, and Playbooks are available in Sentinel - so I can see that most of this area is filling out and maturing quite quickly - if you are now on A5 I would push hard to get the three flavours of ATP & MCAS deployed ASAP.

 

I am also assuming that you have Azure MFA + Conditional Access enabled for ALL Staff and Students? - if not let's have a quick chat as I'd be happy to help with some details that we used with a University late last year that can help.

 

Have a great weekend

Dave C


@blurn wrote:

@David Caddick thank you! It took a few days for the authentication attempts to reach the DC I enabled debugging on --- we have 5 DCs. Once the attempts were logged, I tracked down the server they were using as an entry point. RDP was being allowed on an external interface on that server. RDP is only allowed on the management adapter now.

 

In some ways it's a bit disappointing that this hasn't improved in the Azure ATP product in almost a year? The fact is that this should clearly indicate it's an RDP session at the very least - and I'm surprised that they can't at least add the logic to be able to finger the IP/DNS of where the RDP session login is originating from? 

 

I agree with everything you said above. That being said, we recently changed our licensing to A5 and gained access to Azure ATP and Windows Defender ATP. Without Azure ATP, I don't think I would have been notified of an issue at all. It might have been something I found when looking through logs.

 

Its a mixed bag for me. I really like the product... but surely there should be a way to find where the attempts are originating from.

 

Something I found humorous was that the most recent attack was labeled like this: "An actor on KIEVSERVER performed suspicious account enumeration without successfully exposing any accounts." Maybe the attackers are naming their servers "MSTSC" and "WORKSTATION"?