Reconnaissance using account enumeration - how to troubleshoot

Copper Contributor

Hello,

I have a new install of ATA on 6 DC's.  2 DC's are in Azure space for our AD Connect sync/ADFS.  Is this alert a common occurance seen on ADFS/WAP servers? safe to create an exception?

 

Shortly after the ATA lightweight gateway was installed on the 2 DC's in Azure this started to report "Reconnaissance using account enumeration" originating from our ADFS servers (x2).  The two DC's in Azure chat with the 2 ADFS servers in Azure (other 4 DC's are on-prem).

 

I have read this MS article. But still need some assistance to identify if this is malicious or not. 

 

  • Total accounts guessed = 1012
  • Existing accounts found = 27 (many of these are disabled user accounts)
  • Non-existing accounts guessed = 984

Of the non-existing account I would guess about 1/2 of them are old or disabled accounts.  The other 1/2 appear to be guesses (IE:  morse54@myCo.com, rios035@myCo.com, lkgxgaiztcetlq@myCo.com).

 

For the accounts that were found and enabled.  I do see bad password attempts but are hours appart.  Perhaps this is a very slow brute force attack to not raise red flags or lock out the account?

 

Thanks, any tips or comments is appreciated.

 

5 Replies

Azure AD Connect servers are typically causing false positive-alerts and could be excluded under "Suspected DCSync attack (replication of directory services)":

AzureATP.png

 

@Joel Jerkin 

Thanks for the reply, however, in this case AD Connect or replication of DS is not involved in this scenario.

@DrewP2400 

 

We are not familiar with such cases.

I will recommend to verify it against ADFS and AD Connect product group, if there are built-in process that are doing such behavior.

 

As already being shared the known issue we are familiar is with replications.

 

Thanks,

Tali

@DrewP2400 The accounts that have been uncovered, are they on https://haveibeenpwned.com/ ? In which case it could be a low and slow attack using a list obtained from a breach. Do you have ADFS Proxies as well? Could you put Smart Lockout on? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-s... Are you already using Azure MFA?

@DrewP2400  I have also this issue did you solve it???