cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MDI can't detect account ennumeration

mehdimoujib
Copper Contributor

‎Jun 08 2023 10:42 AM

‎Jun 08 2023 10:42 AM

MDI can't detect account ennumeration

hello evryone,

 

It is typical for MDI to be unable to identify the following types of enumeration ?

 

  • crackmapexec smb "DC IP Address" --users -u 'domainuser' -p 'Mypassword' 
  • crackmapexec smb "DC IP Address" –pass-pol -u 'domainuser' -p 'Mypassword'
  • net rpc group members 'Domain Admins'  -I 'domain' -U '%' 

Is there a way to prevent or fix this issue ?

 

Considering that we have completed all the simulated attack tests for MDI listed below with success:

 

https://learn.microsoft.com/en-us/defender-for-identity/playbooks

 

 

Thanks,

 

 

 
438 Views
0 Likes
1 Reply
Reply
1 Reply
Thalpius

‎Jun 22 2023 03:39 AM

‎Jun 22 2023 03:39 AM

Re: MDI can't detect account ennumeration

For the first command, I'm not sure if cme uses the IPC$ names pipe for user enum or the SAM-R protocol, but if it's SAM-R then this should trigger an alert.

Did you deploy the sensor recently? There's a learning period of 30 days which does not trigger an alert using the SAM-R protocol. There's an option to disable the learning period but it might come with false positives in the beginning.

The second command does not trigger an alert I think since you're getting the password policy with an authenticated user.

The last command should uses SAM-R I think, but be sure you didn't deploy the sensor recently or disable the learning period.
0 Likes
Reply