You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-for-identity/alerts-xdr.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -126,9 +126,9 @@ This section describes alerts indicating that a malicious actor might be attempt
126
126
|<aname="suspicious-ldap-query"></a><details><summary>Suspicious LDAP query</summary><br>**Description**:<br><br>A suspicious Lightweight Directory Access Protocol (LDAP) query associated with a known attack tool was detected. An attacker might be performing reconnaissance for later steps.</details> | High |[T1087.002](https://attack.mitre.org/techniques/T1087/002)| xdr_SuspiciousLdapQuery |
127
127
|<aname="active-directory-attributes-reconnaissance-ldap"></a><details><summary>Active Directory attributes Reconnaissance using LDAP</summary><br>**Description**:<br>Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure, as well as identify privileged accounts for use in later steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory.<br><br>**Learning period**: None<br></details>|Medium|[TA0007](https://attack.mitre.org/tactics/TA0007)<br> [T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1049](https://attack.mitre.org/techniques/T1049/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br>|xdr_LdapSensitiveAttributeReconnaissanceSecurityAlert|
128
128
|<aname="user-and-ip-address-reconnaissance-smb"></a><details><summary>User and IP address reconnaissance (SMB)</summary><br>**Previous name**: Reconnaissance using SMB Session Enumeration.<br><br>**Description**:<br>Enumeration using Server Message Block (SMB) protocol enables attackers to get information about where users recently logged on. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account.<br>In this detection, an alert is triggered when an SMB session enumeration is performed against a domain controller.<br><br>**Learning period**: None<br><br></details>|Medium|[TA0007](https://attack.mitre.org/tactics/TA0007)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1046](https://attack.mitre.org/techniques/T1046/)<br>[T1018](https://attack.mitre.org/techniques/T1018/)|xdr_SmbSessionEnumeration|
129
-
|<a name="account-enumeration-reconnaissance-in-ad-fs"></a><details><summary>Account Enumeration reconnaissance in AD FS</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br><br>**Kerberos**: Attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the **Preauthentication required** instead of **Security principal unknown** Kerberos error.<br><br>**NTLM**: Attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the **WrongPassword (0xc000006a)** instead of **NoSuchUser (0xc0000064)** NTLM error.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertAdfs|
130
-
|<a name="account-enumeration-reconnaissance-in-kerberos"></a><details><summary>Account Enumeration reconnaissance in Kerberos</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br><br>**Kerberos**: Attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the **Preauthentication required** instead of **Security principal unknown** Kerberos error.<br><br>**NTLM**: Attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the **WrongPassword (0xc000006a)** instead of **NoSuchUser (0xc0000064)** NTLM error.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertKerberos|
131
-
|<a name="account-enumeration-reconnaissance-in-ntlm"></a><details><summary>Account Enumeration reconnaissance in NTLM</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br><br>**Kerberos**: Attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the **Preauthentication required** instead of **Security principal unknown** Kerberos error.<br><br>**NTLM**: Attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the **WrongPassword (0xc000006a)** instead of **NoSuchUser (0xc0000064)** NTLM error.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertNtlm|
129
+
|<a name="account-enumeration-reconnaissance-in-ad-fs"></a><details><summary>Account Enumeration reconnaissance in AD FS</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertAdfs|
130
+
|<a name="account-enumeration-reconnaissance-in-kerberos"></a><details><summary>Account Enumeration reconnaissance in Kerberos</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br><br>The attacker makes Kerberos requests using these names to try to find a valid username in the domain. When a guess successfully determines a username, the attacker gets the **Preauthentication required** instead of **Security principal unknown** Kerberos error.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertKerberos|
131
+
|<a name="account-enumeration-reconnaissance-in-ntlm"></a><details><summary>Account Enumeration reconnaissance in NTLM</summary><br>**Previous name**: Reconnaissance using account enumeration.<br><br>**Description**:<br>In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the domain.<br>The attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the domain. If a guess successfully determines a username, the attacker gets the **WrongPassword (0xc000006a)** instead of **NoSuchUser (0xc0000064)** NTLM error.<br>In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on domain controller and AD FS / AD CS servers.<br><br>**Learning period**: None<br><br><br>**Suggested steps for prevention**:<br>Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration.</details> | Medium |[TA0007](https://attack.mitre.org/tactics/TA0007/)<br>[T1087](https://attack.mitre.org/techniques/T1087/)<br>[T1087.002](https://attack.mitre.org/techniques/T1087/002/)<br> |xdr_AccountEnumerationHintSecurityAlertNtlm|
0 commit comments