Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
Use the bellow queries when you get alerts from Microsoft Defender for Identity: Account enumeration reconnaissance on one endpoint
Example:
An actor on performed suspicious account enumeration, exposing while trying to access
Jun 19, 2021 3:51 AM - Jun 20, 2021 8:36 PM Enumeration included a total of 31 guess attempts for account names.
The most recent enumeration attempts included a total of 30 non-existing account names.
Account enumeration performed on your Active Directory using Ntlm
IdentityLogonEvents
| where Timestamp > ago(72h)
| where ActionType == "LogonFailed"
| where FailureReason == "UnknownUser"
| where AccountName !endswith "$"
| sort by Timestamp desc
| summarize count() by bin(Timestamp,10m)
| render timechart IdentityLogonEvents
| where Timestamp > ago(72h)
| where ActionType == "LogonFailed"
| where FailureReason == "UnknownUser"
| where AccountName !endswith "$"DeviceLogonEvents
| where ActionType == "LogonFailed"
| where LogonType == "NetworkCleartext" IdentityLogonEvents
| where ActionType == "LogonFailed"
| where FailureReason == "WrongPassword"This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | v | https://attack.mitre.org/techniques/T1087/002/ |
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
Contributor: Alex Verboon