Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

MDI can't detect account ennumeration

Copper Contributor

hello evryone,

 

It is typical for MDI to be unable to identify the following types of enumeration ?

 

  • crackmapexec smb "DC IP Address" --users -u 'domainuser' -p 'Mypassword' 
  • crackmapexec smb "DC IP Address" –pass-pol -u 'domainuser' -p 'Mypassword'
  • net rpc group members 'Domain Admins'  -I 'domain' -U '%' 

Is there a way to prevent or fix this issue ?

 

Considering that we have completed all the simulated attack tests for MDI listed below with success:

 

https://learn.microsoft.com/en-us/defender-for-identity/playbooks

 

 

Thanks,

 

 

 
1 Reply
For the first command, I'm not sure if cme uses the IPC$ names pipe for user enum or the SAM-R protocol, but if it's SAM-R then this should trigger an alert.

Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.

The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.

The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.