locked
lsass, Microsoft.ActiveDirectory.WebServices and WmiPrvSE raising the Reconnaissance using directory services queries ATA alerts? RRS feed

  • Question

  • Hello,

    I received quite a few "Reconnaissance using directory services queries" ATA alerts.

    Around the time when the alerts were created (time in the Excel files for the alerts) the following three processes were fired away on the source machine:

    Service Name: Active Directory Domain Services
    Service File Name: %SystemRoot%\System32\lsass.exe

    Service Name: Active Directory Web Services
    Service File Name: %systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe

    Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
    Access Request Information:
    Accesses: ReadData (or ListDirectory)

    Do you know if these processes might, by any chance, enumerate lots of users in a domain or at least ATA might seem this that way?

    Thank you very much in advance.

    Regards,
    MSSOC
    Saturday, February 10, 2018 6:29 AM

All replies

  • Hello,

    Since ATA can't detect the specific process generating the queries, it's hard to say that it's caused by those processes.

    However, you can click on the alert to get to its details page, and check which queries were performed (for example, Enterprise admins, or Administrator) and whether or not they were successful. Then, you can investigate this alert by following the steps below.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 12, 2018 5:38 AM