Account enumeration reconnaissance RRS feed

  • Question

  • I am receiving these two alerts continuously.

    "An actor on workstation performed suspicious account enumeration exposing xxx existing account names"

    Is this a generic alert when ATP does not recognize the machine name or is the machine name actually "workstation"?

    I get the exact same alert for a workstation named MSTSC.

    Any help would be greatly appreciated.

    • Edited by Azure ATP Wednesday, March 6, 2019 2:44 PM
    Wednesday, March 6, 2019 2:43 PM

All replies

  • ATP reflects what windows has seen in the event log.

    From past experience WORKSTATION usually means a Mac machine.

    MSTSC means someone tried to connect using remote desktop.

    Wednesday, March 6, 2019 3:29 PM