Re: Account enumeration reconnaisance

Muhamed Rafeeq · ‎06-22-2022

Hi All,

Recently the Windows defender is receiveing alot of Account enumeration reconnaisance alerts from Cisco ISE. Can anybody help me understand why are these alerts coming and how I can stop it ? Ise version and the alerts are attached.

JanCSG · ‎07-05-2022

Account enumeration reconnaissance

Previous name: Reconnaissance using account enumeration

Description

In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.

Kerberos: Attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the Preauthentication required instead of Security principal unknown Kerberos error.

NTLM: Attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the WrongPassword (0xc000006a) instead of NoSuchUser (0xc0000064) NTLM error.

In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS servers.

MITRE

Primary MITRE tactic	Discovery (TA0007)
MITRE attack technique	Account Discovery (T1087)
MITRE attack sub-technique	Domain Account (T1087.002)

Reference https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts

ITguy280 · ‎04-20-2023

This is not what was asked. We need to know how to resolve this false positive that your servers are getting flagged for.