Add AD FS Servers As An Exception For AATP?

%3CLINGO-SUB%20id%3D%22lingo-sub-863786%22%20slang%3D%22en-US%22%3EAdd%20AD%20FS%20Servers%20As%20An%20Exception%20For%20AATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863786%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%26nbsp%3B%20We%20just%20installed%20AATP%20a%20week%20ago%20in%20our%20environment%20and%20a%20few%20days%20ago%2C%20we%20started%20to%20receive%20alerts%20from%20AATP%20about%20our%20AD%20FS%20(Active%20Directory%20Federation%20Services)%20servers%20reporting%20%22Account%20enumeration%20reconnaissance%22.%26nbsp%3B%20The%20alert%20looked%20something%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccount%20enumeration%20reconnaissance%20was%20detected%20in%20%3CTENANT%3E%3C%2FTENANT%3E%3C%2FP%3E%3CP%3EAn%20actor%20on%20%3CAD%20fs%3D%22%22%20server%3D%22%22%3E%20performed%20suspicious%20account%20enumeration%20exposing%20%3CCOUNT%3E%20existing%20account%20names.%3C%2FCOUNT%3E%3C%2FAD%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20normal%20for%20the%20AD%20FS%20servers%20to%20report%20this%2C%20and%20if%20so%2C%20is%20it%20safe%20to%20add%20this%20as%20an%20exception%3F%26nbsp%3B%20I%20saw%20that%20the%20AATP%20console%20suggested%20adding%20the%20DirSync%20servers%2C%20but%20I%20didn't%20see%20anything%20about%20the%20AD%20FS%20servers%2C%20so%20I%20wanted%20to%20clarify%20whether%20this%20is%20something%20we%20need%20to%20further%20investigate%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918337%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20AD%20FS%20Servers%20As%20An%20Exception%20For%20AATP%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360527%22%20target%3D%22_blank%22%3E%40AakashShah%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EADFS%20servers%20are%20typically%20open%20to%20the%20Internet%26nbsp%3B%20and%20are%20therefore%20a%20potential%20target%20for%20account%20enumeration%20attacks.%20In%20this%20alert%2C%20all%20the%20users%20who%20failed%20to%20authenticate%20to%20do%20not%20exist%20in%20Active%20Directory.%20We%20recommend%20that%20you%20check%20if%20the%20users%20in%20the%20list%20have%20been%20removed%20AD%20recently%2C%20or%20if%20the%20list%20looks%20more%20like%20a%20dictionary%20attack.%20Once%20you%20understand%20the%20user%20list%20you%20can%20determine%20if%20the%20alert%20is%20being%20triggered%20by%20a%20process%20in%20your%20environment%20which%20is%20enumerating%20the%20users%2C%20or%20if%20it%20is%20potentially%20a%20real%20attack.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello!  We just installed AATP a week ago in our environment and a few days ago, we started to receive alerts from AATP about our AD FS (Active Directory Federation Services) servers reporting "Account enumeration reconnaissance".  The alert looked something like this:

 

Account enumeration reconnaissance was detected in <tenant>

An actor on <AD FS server> performed suspicious account enumeration exposing <count> existing account names.

 

Is this normal for the AD FS servers to report this, and if so, is it safe to add this as an exception?  I saw that the AATP console suggested adding the DirSync servers, but I didn't see anything about the AD FS servers, so I wanted to clarify whether this is something we need to further investigate?

 

Thanks!

1 Reply
Highlighted

@AakashShah

 

ADFS servers are typically open to the Internet  and are therefore a potential target for account enumeration attacks. In this alert, all the users who failed to authenticate to do not exist in Active Directory. We recommend that you check if the users in the list have been removed AD recently, or if the list looks more like a dictionary attack. Once you understand the user list you can determine if the alert is being triggered by a process in your environment which is enumerating the users, or if it is potentially a real attack.