Jul 05 2019
- last edited on
Nov 30 2021
I have a new install of ATA on 6 DC's. 2 DC's are in Azure space for our AD Connect sync/ADFS. Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?
Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2). The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).
I have read this MS article. But still need some assistance to identify if this is malicious or not.
Of the non-existing account I would guess about 1/2 of them are old or disabled accounts. The other 1/2 appear to be guesses (IE: morse54@myCo.com, rios035@myCo.com, lkgxgaiztcetlq@myCo.com).
For the accounts that were found and enabled. I do see bad password attempts but are hours appart. Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?
Thanks, any tips or comments is appreciated.
Jul 07 2019 06:22 AM
Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":
Jul 07 2019 09:23 AM
Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.
Jul 11 2019 03:59 AM
We are not familiar with such cases.
I will recommend to verify it against ADFS and AD Connect product group, if there are built-in process that are doing such behavior.
As already being shared the known issue we are familiar is with replications.
Jul 18 2019 03:06 AM
@DrewP2400 The accounts that have been uncovered, are they on https://haveibeenpwned.com/ ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-s... Are you already using Azure MFA?