locked
After 1.7 Upgrade - hundreds of "Reconnaissance using directory services enumeration" alerts in a few minutes RRS feed

  • Question

  • Just an FYI...

    In a few minutes after the 1.7 Upgrade (Full) completes, we received hundreds of "Reconnaissance using directory services enumeration" alerts.

    I'm still researching, but so far it appears to be a false alert.

    (Our FULL upgrade took just over 9 hours to complete.)

    Sidenote:  Is there a way to mass-resolve the +500 alerts, besides manually?

    Wednesday, August 31, 2016 2:58 PM

All replies

  • RoboMongo is my friend for a mass "resolve".
    Wednesday, August 31, 2016 3:35 PM
  • Hi,

    One of the new additions in 1.7 is the detection of reconnaissance using directory services enumeration.
    This means that these hundreds of machines are using SAM-R protocol to enumerate things like all of the users or all of the groups in a domain (which is what attackers would do).

    can you explain why would hundreds of machines would do that in your organization?
    (and probably very frequently as it happened within minutes of update)
    Wednesday, August 31, 2016 9:11 PM
  • I'm still researching that...

    Regards.

    Wednesday, August 31, 2016 9:13 PM
  • As I understand the SAM-R protocol and servers - it would be related to SMB shares.
    (To be honest - I'm weak on exactly what this actually runs.)
    We have 18 DC's with +1000 servers & +5000 workstations.
    I know we have several drive-mappings at login and scripts running from Netlogon.

    I suspect in a couple of cases that the alert was triggered by Nessus/QRadarVulnerabilityManager scans, because i know we had a request to scan two servers recently before the alert triggered.

    I know we've run scans "AGAINST" these devices from a Nessus server, but not directly scanned "ON" these devices.

    (We're in the middle of a QRadar SIEM implementation including a QRadar Vulnerability Manager, but we haven't yet run any vuln. scans or hostdiscovery scans.)

    edit:  i've confirmed we weren't running vuln. scans last night during the first large batch (+500) of alerts after the upgrade completed.

    • Edited by Bjarni2007 Wednesday, August 31, 2016 9:53 PM
    Wednesday, August 31, 2016 9:41 PM
  • Could you provide an example of some other legitimate processes/functions?  (...and then I'll work to find other items.)

    Thanks,
    Troy

    Wednesday, August 31, 2016 9:59 PM
  • Hi Troy,

    I would like to work with you offline to better understand why this is happening.
    Can you please email ATAEval AT Microsoft.com and we will go from there.

    After we would finish investigating we would report back here
    Thursday, September 1, 2016 11:03 AM
  • I've emailed you @ that address.
    Further, we've not received any more of the alerts since yesterday afternoon.

    Thanks,
    Troy

    Thursday, September 1, 2016 2:40 PM
  • I'm having the same issue.  Many medium threats,

    "Reconnaissance using directory services enumeration

    The following directory services enumerations using SAMR protocol were attempted against {a DC} from {computer}: Successful enumeration of all groups in {domain} by {computer}"

    I think these computers are legitimately enumerating all groups, and are not a threat, so I'm concerned this will return many false positives.  Is there NO legitimate reason an unaffected workstation should be enumerating AD groups?

    All are, "Successful enumeration of all groups"

    The source accounts for all the alerts are either "Unknown" or the machine itself...

    Thanks,

    ~Bill


    • Edited by ITBillBNE Tuesday, January 24, 2017 9:12 PM
    Tuesday, January 24, 2017 9:07 PM
  • It's official, all of my computers have registering false-positive "Reconnaissance using directory services enumeration".  Besides being connected to my domain, the other commonality is I'm running McAfee (AntiVirus & HIPS).

    Wednesday, January 25, 2017 2:39 PM
  • You can use the instructions in KB3191777 to turn off this detection for now.
    This detection will get an improvement in the next version so that we won't alert in such benign true positives.
    Wednesday, January 25, 2017 5:13 PM
  • We just started getting a lot of these.  Successful enumeration of all users in the domain from random computer accounts.

    Starting this past weekend, we're seeing up to 50 alerts per day.  Prior to that, I'd estimate that we would see an average of less than 5 per week.

    We're currently running version 1.7.5402.41928 and will be installing update 2 later today.  Is it still recommended to disable detection per KB3191777?  It's somewhat alarming that we suddenly started receiving so many alerts but I see no other evidence that there is an issue with these systems so far.

    Wednesday, March 29, 2017 3:51 PM
  • I would check what changed to start the investigation.
    What was added/changed on those machines?
    Wednesday, March 29, 2017 7:47 PM
  • Past:   Thanks to Benny previously. We uploaded our ATA database to ATA Support.

    Current:  We have correlated ours ongoing recurring events over time to particular AD-LDAP integrated applications.

    1) Bomgar Remote Access
    2) EPIC Healthcare, ONBASE, & several other "smaller" Healthcare-related apps.
    3) Micro$oft SCCM
    4) Some Citrix Xenapp/Receiver published items, but I'm unsure if it's Citrix or the Published App (leaning toward the App)

    From what I can tell - these apps are polling for all groups.

    Regards,

    Troy

    Wednesday, March 29, 2017 8:48 PM