Suspicious account enumeration activity using Kerberos protocol RRS feed

  • Question

  • Got an alert from the Microsoft Advanced Threat Analytics that I think has to be legit.  It is in my sharepoint 2013 environment and it says the following.

    Suspicious account enumeration activity using Kerberos protocol, originating from SERVER, was detected. The attacker performed a total of 346 guess attempts for account names, 296 guess attempts matched existing account names in Active Dir

    Sounds like a real attack to me but does anyone know if this is sharepoint doing something, highly unlikely since sharepoint wouldnt be guessing accounts like this.


    Jason VanCise

    Tuesday, December 15, 2015 3:47 PM

All replies

  • I also get this alert from SharePoint.

    It seems to occur during the daily profile import, so it does seem to be legitimate however I don't see a way to exclude this from getting flagged

    • Edited by dscotland Tuesday, March 1, 2016 3:06 PM
    Tuesday, March 1, 2016 3:05 PM
  • Hi,
    I am no SharePoint expert, so please do not get my response as 'legimate vs. not legimate' regarding the event itself. You should check this event within your environment carefully.
    Just referring to the question on how to suppress this particular issue on the timeline: if you set the alert to "Dismissed", it won't pop up again for the source (SharePoint). Bear in mind that any attempt to guess account names from this system / service would not be logged afterwards, even not legimate ones.
    HTH, Fabian
    Wednesday, March 2, 2016 8:18 PM
  • Hi Fabian

    For me its definitely just sharepoint doing its profile import / updating of any changed details as I can make this occur at will by running a delta or full import, but yes you need to confirm this is the case for your environment first.

    So in my case it would be very useful to be able to exclude the detection of this when it is SharePoint doing this



    Tuesday, March 29, 2016 2:04 PM