Reconnaissance using Directory Services queries RRS feed

  • Question

  • One afternoon around 4pm, we started getting inundated with alerts from ATA.   Most of the alerts had the same domain controller name, the same user account (which is an account we have in domain admins), and the same domain.  The <member server> name was different each time, and seemed very random (like it was going through a list of all our servers), and it was only servers that it was coming from (not clients).  Here's the actual alert title and description:

    Title: Reconnaissance using Directory Services queries

    Description: The following directory services queries using SAMR protocol were attempted against <domain controller> from <member server>: Successful query about <user account> in <domain>.  

    I'm not that knowledgeable about such things (i dont have a strong security background or hacker mentality).  What should i make of these alerts?  There were about 20-30 of them in a row between 4pm and 8pm.  

    Also, is there an "ATA for dummies" guide, that helps you decipher what the alerts mean and how you should handle them?  There are others we receive that i dont know how to handle.

    Thursday, June 11, 2020 7:21 PM

All replies