locked
Reconnaissance using directory services enumeration false positive? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    we are getting an alert telling us a workstation (computer account) on workstation (computer account) have enumerated all user in the AD. currently a number of computers have this activity but it lists either the workstation as the user doing it or an "unknown user"


    The following directory services enumerations using SAMR protocol were attempted against 2 domain controllers from wkrstation-004: Successful enumeration of all users in blabla.local by wrkstation-004 4-7-2017 7
    		 6-27-2017
    		Medium Open

    Wednesday, June 28, 2017 12:11 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hello,

    Basically, you can follow the recommendations included in the alert message. Since lots of computers were detected, is it possible that certain service or application running on these computers perform these operations.

    By the way, what's the version of the ATA?

    Best regards,
    Andy Liu 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 7:38 AM