Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint
Example:
An actor on performed suspicious account enumeration, exposing while trying to access
Jun 19, 2021 3:51 AM - Jun 20, 2021 8:36 PM Enumeration included a total of 31 guess attempts for account names.
The most recent enumeration attempts included a total of 30 non-existing account names.
Account enumeration performed on your Active Directory using Ntlm
IdentityLogonEvents
| where Timestamp > ago(72h)
| where ActionType == "LogonFailed"
| where FailureReason == "UnknownUser"
| where AccountName !endswith "$"
| sort by Timestamp desc
| summarize count() by bin(Timestamp,10m)
| render timechart
IdentityLogonEvents
| where Timestamp > ago(72h)
| where ActionType == "LogonFailed"
| where FailureReason == "UnknownUser"
| where AccountName !endswith "$"
DeviceLogonEvents
| where ActionType == "LogonFailed"
| where LogonType == "NetworkCleartext"
IdentityLogonEvents
| where ActionType == "LogonFailed"
| where FailureReason == "WrongPassword"
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
Technique, tactic, or state | Covered? (v=yes) | Notes |
---|---|---|
Initial access | ||
Execution | ||
Persistence | ||
Privilege escalation | ||
Defense evasion | ||
Credential Access | ||
Discovery | v | https://attack.mitre.org/techniques/T1087/002/ |
Lateral movement | ||
Collection | ||
Command and control | ||
Exfiltration | ||
Impact | ||
Vulnerability | ||
Misconfiguration | ||
Malware, component |
Contributor: Alex Verboon