Reconnaissance using account enumeration - how to troubleshoot

%3CLINGO-SUB%20id%3D%22lingo-sub-739914%22%20slang%3D%22en-US%22%3EReconnaissance%20using%20account%20enumeration%20-%20how%20to%20troubleshoot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-739914%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20have%20a%20new%20install%20of%20ATA%20on%206%20DC's.%26nbsp%3B%202%20DC's%20are%20in%20Azure%20space%20for%20our%20AD%20Connect%20sync%2FADFS.%26nbsp%3B%20Is%20this%20alert%20a%20common%20occurance%20seen%20on%20ADFS%2FWAP%20servers%3F%20safe%20to%20create%20an%20exception%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShortly%20after%20the%20ATA%20lightweight%20gateway%20was%20installed%20on%20the%202%20DC's%20in%20Azure%20this%20started%20to%20report%20%22Reconnaissance%20using%20account%20enumeration%22%20originating%20from%20our%20ADFS%20servers%20(x2).%26nbsp%3B%20The%20two%20DC's%20in%20Azure%20chat%20with%20the%202%20ADFS%20servers%20in%20Azure%20(other%204%20DC's%20are%20on-prem).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20read%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMS%20article.%26nbsp%3B%3C%2FA%3EBut%20still%20need%20some%20assistance%20to%20identify%20if%20this%20is%20malicious%20or%20not.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ETotal%20accounts%20guessed%20%3D%201012%3C%2FLI%3E%3CLI%3EExisting%20accounts%20found%20%3D%2027%20(many%20of%20these%20are%20disabled%20user%20accounts)%3C%2FLI%3E%3CLI%3ENon-existing%20accounts%20guessed%20%3D%20984%3C%2FLI%3E%3C%2FUL%3E%3CP%3EOf%20the%20non-existing%20account%20I%20would%20guess%20about%201%2F2%20of%20them%20are%20old%20or%20disabled%20accounts.%26nbsp%3B%20The%20other%201%2F2%20appear%20to%20be%20guesses%20(IE%3A%26nbsp%3B%20morse54%40myCo.com%2C%20rios035%40myCo.com%2C%20lkgxgaiztcetlq%40myCo.com).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20accounts%20that%20were%20found%20and%20enabled.%26nbsp%3B%20I%20do%20see%20bad%20password%20attempts%20but%20are%20hours%20appart.%26nbsp%3B%20Perhaps%20this%20is%20a%20very%20slow%20brute%20force%20attack%20to%20not%20raise%20red%20flags%20or%20lock%20out%20the%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20any%20tips%20or%20comments%20is%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-739914%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741415%22%20slang%3D%22en-US%22%3ERe%3A%20Reconnaissance%20using%20account%20enumeration%20-%20how%20to%20troubleshoot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741415%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20Connect%20servers%20are%20typically%20causing%20false%20positive-alerts%20and%20could%20be%20excluded%20under%20%22Suspected%20DCSync%20attack%20(replication%20of%20directory%20services)%22%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F122453i4E752354CB88E212%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22AzureATP.png%22%20title%3D%22AzureATP.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741511%22%20slang%3D%22en-US%22%3ERe%3A%20Reconnaissance%20using%20account%20enumeration%20-%20how%20to%20troubleshoot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741511%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19217%22%20target%3D%22_blank%22%3E%40Joel%20Jerkin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply%2C%20however%2C%20in%20this%20case%20AD%20Connect%20or%20replication%20of%20DS%20is%20not%20involved%20in%20this%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749755%22%20slang%3D%22en-US%22%3ERe%3A%20Reconnaissance%20using%20account%20enumeration%20-%20how%20to%20troubleshoot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749755%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F371676%22%20target%3D%22_blank%22%3E%40DrewP2400%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20not%20familiar%20with%20such%20cases.%3C%2FP%3E%0A%3CP%3EI%20will%20recommend%20to%20verify%20it%20against%20ADFS%20and%20AD%20Connect%20product%20group%2C%20if%20there%20are%20built-in%20process%20that%20are%20doing%20such%20behavior.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20already%20being%20shared%20the%20known%20issue%20we%20are%20familiar%20is%20with%20replications.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-762186%22%20slang%3D%22en-US%22%3ERe%3A%20Reconnaissance%20using%20account%20enumeration%20-%20how%20to%20troubleshoot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-762186%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F371676%22%20target%3D%22_blank%22%3E%40DrewP2400%3C%2FA%3E%26nbsp%3BThe%20accounts%20that%20have%20been%20uncovered%2C%20are%20they%20on%20%3CA%20href%3D%22https%3A%2F%2Fhaveibeenpwned.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhaveibeenpwned.com%2F%3C%2FA%3E%26nbsp%3B%3F%20In%20which%20case%20it%20could%20be%20a%20low%20and%20slow%20attack%20using%20a%20list%20obtained%20from%20a%20breach.%20Do%20you%20have%20ADFS%20Proxies%20as%20well%3F%20Could%20you%20put%20Smart%20Lockout%20on%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-extranet-smart-lockout-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-extranet-smart-lockout-protection%3C%2FA%3E%26nbsp%3BAre%20you%20already%20using%20Azure%20MFA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

I have a new install of ATA on 6 DC's.  2 DC's are in Azure space for our AD Connect sync/ADFS.  Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?

 

Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2).  The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).

 

I have read this MS article. But still need some assistance to identify if this is malicious or not. 

 

  • Total accounts guessed = 1012
  • Existing accounts found = 27 (many of these are disabled user accounts)
  • Non-existing accounts guessed = 984

Of the non-existing account I would guess about 1/2 of them are old or disabled accounts.  The other 1/2 appear to be guesses (IE:  morse54@myCo.com, rios035@myCo.com, lkgxgaiztcetlq@myCo.com).

 

For the accounts that were found and enabled.  I do see bad password attempts but are hours appart.  Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?

 

Thanks, any tips or comments is appreciated.

 

4 Replies
Highlighted

Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":

AzureATP.png

 

Highlighted

@Joel Jerkin 

Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.

Highlighted

@DrewP2400 

 

We are not familiar with such cases.

I will recommend to verify it against ADFS and AD Connect product group, if there are built-in process that are doing such behavior.

 

As already being shared the known issue we are familiar is with replications.

 

Thanks,

Tali

Highlighted

@DrewP2400 The accounts that have been uncovered, are they on https://haveibeenpwned.com/ ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-s... Are you already using Azure MFA?