cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reconnaissance using account enumeration - how to troubleshoot

DrewP2400
Copper Contributor

‎Jul 05 2019 08:16 AM - last edited on ‎Nov 30 2021 10:05 AM by

‎Jul 05 2019 08:16 AM - last edited on ‎Nov 30 2021 10:05 AM by

Reconnaissance using account enumeration - how to troubleshoot

Hello,

I have a new install of ATA on 6 DC's.  2 DC's are in Azure space for our AD Connect sync/ADFS.  Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?

 

Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2).  The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).

 

I have read this MS article. But still need some assistance to identify if this is malicious or not. 

 

  • Total accounts guessed = 1012
  • Existing accounts found = 27 (many of these are disabled user accounts)
  • Non-existing accounts guessed = 984

Of the non-existing account I would guess about 1/2 of them are old or disabled accounts.  The other 1/2 appear to be guesses (IE:  morse54@myCo.com, rios035@myCo.com, lkgxgaiztcetlq@myCo.com).

 

For the accounts that were found and enabled.  I do see bad password attempts but are hours appart.  Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?

 

Thanks, any tips or comments is appreciated.

 

9,504 Views
0 Likes
5 Replies
Reply
5 Replies
Joel Jerkin

‎Jul 07 2019 06:22 AM

‎Jul 07 2019 06:22 AM

Re: Reconnaissance using account enumeration - how to troubleshoot

Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":

AzureATP.png

 

0 Likes
Reply
DrewP2400

‎Jul 07 2019 09:23 AM

‎Jul 07 2019 09:23 AM

Re: Reconnaissance using account enumeration - how to troubleshoot

@Joel Jerkin 

Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.

0 Likes
Reply
Tali Ash

‎Jul 11 2019 03:59 AM

‎Jul 11 2019 03:59 AM

Re: Reconnaissance using account enumeration - how to troubleshoot

@DrewP2400 

 

We are not familiar with such cases.

I will recommend to verify it against ADFS and AD Connect product group, if there are built-in process that are doing such behavior.

 

As already being shared the known issue we are familiar is with replications.

 

Thanks,

Tali

0 Likes
Reply
Mark Lewis

‎Jul 18 2019 03:06 AM

‎Jul 18 2019 03:06 AM

Re: Reconnaissance using account enumeration - how to troubleshoot

@DrewP2400 The accounts that have been uncovered, are they on https://haveibeenpwned.com/ ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-s... Are you already using Azure MFA?

0 Likes
Reply
homayoonfayaz

‎Jan 17 2021 08:12 AM

‎Jan 17 2021 08:12 AM

Re: Reconnaissance using account enumeration - how to troubleshoot

@DrewP2400  I have also this issue did you solve it???

0 Likes
Reply