locked
Reconnaissance using directory services enumeration false positive? RRS feed

  • Question

  • we are getting an alert telling us a workstation (computer account) on workstation (computer account) have enumerated all user in the AD. currently a number of computers have this activity but it lists either the workstation as the user doing it or an "unknown user"


    The following directory services enumerations using SAMR protocol were attempted against 2 domain controllers from wkrstation-004: Successful enumeration of all users in blabla.local by wrkstation-004 4-7-2017 7
    6-27-2017
    Medium Open

    Wednesday, June 28, 2017 12:11 PM

All replies

  • Hello,

    Basically, you can follow the recommendations included in the alert message. Since lots of computers were detected, is it possible that certain service or application running on these computers perform these operations.

    By the way, what's the version of the ATA?

    Best regards,
    Andy Liu 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 7:38 AM