docs.microsoft.com
Open in
urlscan Pro
2a02:26f0:2b00:3ae::353e
Public Scan
Submitted URL: https://aka.ms/atasaguide-recenum
Effective URL: https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts
Submission: On September 09 via api from US — Scanned from DE
Effective URL: https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts
Submission: On September 09 via api from US — Scanned from DE
Form analysis 5 forms found in the DOM
Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Search" aria-expanded="false" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" class="autocomplete-input input is-small" type="search" name="terms"
aria-expanded="false" aria-owns="ax-32-listbox" aria-activedescendant="" aria-label="Search" placeholder="Search">
<span aria-hidden="true" class="icon is-small is-left" hidden="">
<span class="has-text-primary docon docon-undefined"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
</div>
<ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-32-listbox" aria-label="site-search-input-suggestions" hidden="">
</ul><!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
<input name="scope" hidden="" value="Defender for Identity">
</form>Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Search" aria-expanded="false" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-33" class="autocomplete-input input control has-icons-left is-small" type="search" name="terms"
aria-expanded="false" aria-owns="ax-34-listbox" aria-activedescendant="" aria-label="Search" placeholder="Search">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-search"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
</div>
<ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-34-listbox" aria-label="ax-33-suggestions" hidden="">
</ul><!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
<input name="scope" hidden="" value="Defender for Identity">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="has-margin-bottom-small"><label class="visually-hidden" for="ax-35">Search</label>
<div class="autocomplete is-block" data-bi-name="autocomplete"><!---->
<div class="control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-35" class="autocomplete-input input control has-icons-left is-full-width is-small" type="text"
aria-expanded="false" aria-owns="ax-36-listbox" aria-activedescendant="" placeholder="Filter by title">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
</div>
<ul class="autocomplete-suggestions is-vertically-scrollable" role="listbox" id="ax-36-listbox" aria-label="ax-35-suggestions" hidden="">
</ul><!---->
</div>
</form><form class="feedback-verbatim-form is-hidden" id="rating-container-desktop">
<div class="verbatim-textarea box position-relative box-shadow-none border has-margin-top-small has-padding-extra-small font-size-xs">
<label for="rating-textarea-desktop" class="visually-hidden">Any additional feedback?</label>
<textarea id="rating-textarea-desktop" rows="4" maxlength="999" placeholder="Any additional feedback?" required="" class="textarea border-none box-shadow-none has-inner-focus"></textarea>
</div>
<p class="font-size-xs has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
<a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
<div class="buttons is-right margin-top-xs has-margin-right-extra-small">
<button class="skip-rating button is-transparent has-text-primary is-small border-none" type="button">Skip</button>
<button class="submit-rating button is-primary is-small" data-bi-name="rating-verbatim" disabled="" type="submit">Submit</button>
</div>
</form><form class="feedback-verbatim-form is-hidden" id="rating-container-mobile">
<div class="verbatim-textarea box position-relative box-shadow-none border has-margin-top-small has-padding-extra-small font-size-xs">
<label for="rating-textarea-mobile" class="visually-hidden">Any additional feedback?</label>
<textarea id="rating-textarea-mobile" rows="4" maxlength="999" placeholder="Any additional feedback?" required="" class="textarea border-none box-shadow-none has-inner-focus"></textarea>
</div>
<p class="font-size-xs has-line-height-reset">Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
<a href="https://privacy.microsoft.com/en-us/privacystatement">Privacy policy.</a></p>
<div class="buttons is-right margin-top-xs has-margin-right-extra-small">
<button class="skip-rating button is-transparent has-text-primary is-small border-none" type="button">Skip</button>
<button class="submit-rating button is-primary is-small" data-bi-name="rating-verbatim" disabled="" type="submit">Submit</button>
</div>
</form>Text Content
Skip to main content
We use cookies to improve your experience on our websites and for advertising.
Privacy Statement
Accept all Manage cookies
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info
Documentation
Global navigation
* Docs
* Documentation
* Learn
* Q&A
* Code Samples
* More
* Documentation
* Learn
* Q&A
* Code Samples
Search
Sign in
* Profile
* Collections
* Challenges
Sign out
* Docs
* Tutorials
* Reconnaissance alerts
Contents Exit focus mode
* Read in English
* Save
* Feedback
* Edit
* Share
* Twitter
* LinkedIn
* Facebook
* Email
Table of contents
Search
* Microsoft Defender for Identity Documentation
* Overview
* Quickstarts
* Create your Defender for Identity instance
* Connect to Active Directory
* Download the Defender for Identity sensor package
* Install the Defender for Identity sensor
* Tutorials
* Reconnaissance alerts
* Compromised credential alerts
* Lateral movement alerts
* Domain dominance alerts
* Exfiltration alerts
* Investigate a user
* Investigate a computer
* Investigate lateral movement paths
* Investigate entities
* Concepts
* How-to guides
* Reference
* Resources
Download PDF
TUTORIAL: RECONNAISSANCE ALERTS
* 12/23/2020
* 16 minutes to read
* * d
* r
* s
* D
* m
IN THIS ARTICLE
1. Account enumeration reconnaissance (external ID 2003)
2. Active Directory attributes reconnaissance (LDAP) (external ID 2210)
3. Network-mapping reconnaissance (DNS) (external ID 2007)
4. Security principal reconnaissance (LDAP) (external ID 2038)
5. User and Group membership reconnaissance (SAMR) (external ID 2021)
6. User and IP address reconnaissance (SMB) (external ID 2012)
7. See Also
Typically, cyberattacks are launched against any accessible entity, such as a
low-privileged user, and then quickly move laterally until the attacker gains
access to valuable assets. Valuable assets can be sensitive accounts, domain
administrators, or highly sensitive data. Microsoft Defender for Identity
identifies these advanced threats at the source throughout the entire attack
kill chain and classifies them into the following phases:
1. Reconnaissance
2. Compromised credentials
3. Lateral Movements
4. Domain dominance
5. Exfiltration
To learn more about how to understand the structure, and common components of
all Defender for Identity security alerts, see Understanding security alerts.
For information about True positive (TP), Benign true positive (B-TP), and False
positive (FP), see security alert classifications.
The following security alerts help you identify and remediate Reconnaissance
phase suspicious activities detected by Defender for Identity in your network.
In this tutorial, learn how to understand, classify, remediate, and prevent the
following types of attacks:
* Account enumeration reconnaissance (external ID 2003)
* Active Directory attributes reconnaissance (LDAP) (external ID 2210)
* Network mapping reconnaissance (DNS) (external ID 2007)
* Security principal reconnaissance (LDAP) (external ID 2038)
* User and Group membership reconnaissance (SAMR) (external ID 2021)
* User and IP address reconnaissance (SMB) (external ID 2012)
ACCOUNT ENUMERATION RECONNAISSANCE (EXTERNAL ID 2003)
Previous name: Reconnaissance using account enumeration
Description
In account enumeration reconnaissance, an attacker uses a dictionary with
thousands of user names, or tools such as KrbGuess in an attempt to guess user
names in the domain.
Kerberos: Attacker makes Kerberos requests using these names to try to find a
valid username in the domain. When a guess successfully determines a username,
the attacker gets the Preauthentication required instead of Security principal
unknown Kerberos error.
NTLM: Attacker makes NTLM authentication requests using the dictionary of names
to try to find a valid username in the domain. If a guess successfully
determines a username, the attacker gets the WrongPassword (0xc000006a) instead
of NoSuchUser (0xc0000064) NTLM error.
In this alert detection, Defender for Identity detects where the account
enumeration attack came from, the total number of guess attempts, and how many
attempts were matched. If there are too many unknown users, Defender for
Identity detects it as a suspicious activity. The alert is based on
authentication events from sensors running on domain controller and AD FS
servers.
MITRE
Table 1 Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account
Discovery (T1087) MITRE attack sub-technique Domain Account (T1087.002)
Learning period
None
TP, B-TP, or FP
Some servers and applications query domain controllers to determine if accounts
exist in legitimate usage scenarios.
To determine if this query was a TP, BTP, or FP, select the alert to get to its
detail page:
1. Check if the source computer was supposed to perform this type of query.
Examples of a B-TP in this case could be Microsoft Exchange servers or human
resource systems.
2. Check the account domains.
* Do you see additional users who belong to a different domain?
A server misconfiguration such as Exchange/Skype or ADSF can cause
additional users that belong to different domains.
* Look at the configuration of the problematic service to fix the
misconfiguration.
If you answered yes to the questions above, it's a B-TP activity. Close the
security alert.
As the next step, look at the source computer:
1. Is there a script or application running on the source computer that could
generate this behavior?
* Is the script an old script running with old credentials?
If yes, stop and edit or delete the script.
* Is the application an administrative or security script/application that
is supposed to run in the environment?
If you answered yes to previous question, Close the security alert and
exclude that computer. It's probably a B-TP activity.
Now, look at the accounts:
Attackers are known to use a dictionary of randomized account names to find
existing account names in an organization.
1. Do the non-existing accounts look familiar?
* If the non-existing accounts look familiar, they may be disabled accounts
or belong to employees who left the company.
* Check for an application or script that checks to determine which accounts
still exist in Active Directory.
If you answered yes to one of the previous questions, Close the security
alert, it's probably a B-TP activity.
2. If any of the guess attempts match existing account names, the attacker
knows of the existence of accounts in your environment and can attempt to
use brute force to access your domain using the discovered user names.
* Check the guessed account names for additional suspicious activities.
* Check to see if any of the matched accounts are sensitive accounts.
Understand the scope of the breach
1. Investigate the source computer
2. If any of the guess attempts match existing account names, the attacker
knows of the existence of accounts in your environment, and can use brute
force to attempt to access your domain using the discovered user names.
Investigate the existing accounts using the user investigation guide.
Note
Examine the evidence to learn the authentication protocol used. If NTLM
authentication was used, enable NTLM auditing of Windows Event 8004 on the
domain controller to determine the resource server the users attempted to
access.
Windows Event 8004 is the NTLM authentication event that includes
information about the source computer, user account, and server that the
source user account attempted to access.
Defender for Identity captures the source computer data based on Windows
Event 4776, which contains the computer defined source computer name. Using
Windows Event 4776 to capture this information, the information source field
is occasionally overwritten by the device or software and only displays
Workstation or MSTSC as the information source. In addition, the source
computer might not actually exist on your network. This is possible because
adversaries commonly target open, internet-accessible servers from outside
the network and then use it to enumerate your users. If you frequently have
devices that display as Workstation or MSTSC, make sure to enable NTLM
auditing on the domain controllers to get the accessed resource server name.
You should also investigate this server, check if it is opened to the
internet, and if you can, close it.
3. When you learn which server sent the authentication validation, investigate
the server by checking events, such as Windows Event 4624, to better
understand the authentication process.
4. Check if this server is exposed to the internet using any open ports. For
example, is the server open using RDP to the internet?
Suggested remediation and steps for prevention
1. Contain the source computer.
1. Find the tool that performed the attack and remove it.
2. Look for users who were logged on around the same time as the activity
occurred, as these users may also be compromised.
3. Reset their passwords and enable MFA or, if you've configured the
relevant high-risk user policies in Azure Active Directory Identity
Protection, you can use the Confirm user compromised action in the Cloud
App Security portal.
2. Enforce Complex and long passwords in the organization. Complex and long
passwords provide the necessary first level of security against brute-force
attacks. Brute force attacks are typically the next step in the cyber-attack
kill chain following enumeration.
ACTIVE DIRECTORY ATTRIBUTES RECONNAISSANCE (LDAP) (EXTERNAL ID 2210)
Description
Active Directory LDAP reconnaissance is used by attackers to gain critical
information about the domain environment. This information can help attackers
map the domain structure, as well as identify privileged accounts for use in
later steps in their attack kill chain. Lightweight Directory Access Protocol
(LDAP) is one of the most popular methods used for both legitimate and malicious
purposes to query Active Directory.
MITRE
Active Directory attributes reconnaissance (LDAP) (external ID 2210) Primary
MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087), Indirect Command Execution (T1202), Permission Groups Discovery (T1069)
MITRE attack sub-technique Domain Account (T1087.002), Domain Groups (T1069.002)
Learning period
None
TP, B-TP, or FP
1. Select the alert to view the queries that were performed.
* Check if the source computer is supposed to make these queries
* If yes, close the security alert as an FP. If it's an ongoing activity,
exclude the suspicious activity.
2. Select the source computer and go to its profile page.
* Look for any unusual activities that occurred around the time of the
queries such as the following types of search: logged in users, accessed
resources, and other probing queries.
* If Microsoft Defender for Endpoint integration is enabled, select its icon
to further investigate the machine.
* Look for unusual processes and alerts that occurred around the time of
the queries
3. Check exposed accounts.
* Look for unusual activities.
If you answered yes to questions 2 or 3, consider this alert a TP and follow the
instructions in Understand the scope of the breach.
Understand the scope of the breach
1. Investigate the source computer.
2. Is the computer running a scanning tool that performs various of LDAP
queries?
* Investigate whether the specific queried users and groups in the attack
are privileged or high-value accounts (that is, CEO, CFO, IT management,
etc.). If so, look at other activities on the endpoint as well and monitor
computers that the queried accounts are logged into, as they're probably
targets for lateral movement.
3. Check the queries and their attributes, and determine if they were
successful. Investigate each exposed group, search for suspicious activities
made on the group or by member users of the group.
4. Can you see SAM-R, DNS, or SMB reconnaissance behavior on the source
computer?
Suggested remediation and steps for prevention
1. Contain the source computer
1. Find the tool that performed the attack and remove it.
2. If the computer is running a scanning tool that performs a variety of
LDAP queries, look for users who were logged on around the same time as
the activity occurred, as these users may also be compromised. Reset
their passwords and enable MFA or, if you've configured the relevant
high-risk user policies in Azure Active Directory Identity Protection,
you can use the Confirm user compromised action in the Cloud App Security
portal.
2. Reset the password if SPN resource access was made that runs under a user
account (not machine account).
NETWORK-MAPPING RECONNAISSANCE (DNS) (EXTERNAL ID 2007)
Previous name: Reconnaissance using DNS
Description
Your DNS server contains a map of all the computers, IP addresses, and services
in your network. This information is used by attackers to map your network
structure and target interesting computers for later steps in their attack.
There are several query types in the DNS protocol. This Defender for Identity
security alert detects suspicious requests, either requests using an AXFR
(transfer) originating from non-DNS servers, or those using an excessive number
of requests.
MITRE
Table 3 Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account
Discovery (T1087), Network Service Scanning (T1046), Remote System Discovery
(T1018) MITRE attack sub-technique N/A
Learning period
This alert has a learning period of eight days from the start of domain
controller monitoring.
TP, B-TP, or FP
1. Check if the source computer is a DNS server.
* If the source computer is a DNS server, close the security alert as an FP.
* To prevent future FPs, verify that UDP port 53 is open between the
Defender for Identity sensor and the source computer.
Security scanners and legitimate applications can generate DNS queries.
1. Check if this source computer is supposed to generate this type of activity?
* If this source computer is supposed to generate this type of activity,
Close the security alert and exclude the computer as a B-TP activity.
Understand the scope of the breach
1. Investigate the source computer.
Suggested remediation and steps for prevention
Remediation:
* Contain the source computer.
* Find the tool that performed the attack and remove it.
* Look for users who were logged on around the same time as the activity
occurred, as these users may also be compromised. Reset their passwords and
enable MFA or, if you've configured the relevant high-risk user policies in
Azure Active Directory Identity Protection, you can use the Confirm user
compromised action in the Cloud App Security portal.
Prevention:
It's important to preventing future attacks using AXFR queries by securing your
internal DNS server.
* Secure your internal DNS server to prevent reconnaissance using DNS by
disabling zone transfers or by restricting zone transfers only to specified
IP addresses. Modifying zone transfers is one task among a checklist that
should be addressed for securing your DNS servers from both internal and
external attacks.
SECURITY PRINCIPAL RECONNAISSANCE (LDAP) (EXTERNAL ID 2038)
Description
Security principal reconnaissance is used by attackers to gain critical
information about the domain environment. Information that helps attackers map
the domain structure, as well as identify privileged accounts for use in later
steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP)
is one the most popular methods used for both legitimate and malicious purposes
to query Active Directory. LDAP focused security principal reconnaissance is
commonly used as the first phase of a Kerberoasting attack. Kerberoasting
attacks are used to get a target list of Security Principal Names (SPNs), which
attackers then attempt to get Ticket Granting Server (TGS) tickets for.
To allow Defender for Identity to accurately profile and learn legitimate users,
no alerts of this type are triggered in the first 10 days following Defender for
Identity deployment. Once the Defender for Identity initial learning phase is
completed, alerts are generated on computers that perform suspicious LDAP
enumeration queries or queries targeted to sensitive groups that using methods
not previously observed.
MITRE
Security principal reconnaissance (LDAP) (external ID 2038) Primary MITRE tactic
Discovery (TA0007) Secondary MITRE tactic Credential Access (TA0006) MITRE
attack technique Account Discovery (T1087) MITRE attack sub-technique Domain
Account (T1087.002)
Learning period
15 days per computer, starting from the day of the first event, observed from
the machine.
TP, B-TP, or FP
1. Select the source computer and go to its profile page.
1. Is this source computer expected to generate this activity?
2. If the computer and activity are expected, Close the security alert and
exclude that computer as a B-TP activity.
Understand the scope of the breach
1. Check the queries that were performed (such as Domain admins, or all users
in a domain) and determine if the queries were successful. Investigate each
exposed group search for suspicious activities made on the group, or by
member users of the group.
2. Investigate the source computer.
* Using the LDAP queries, check if any resource access activity occurred on
any of the exposed SPNs.
Suggested remediation and steps for prevention
1. Contain the source computer
1. Find the tool that performed the attack and remove it.
2. Is the computer running a scanning tool that performs various LDAP
queries?
3. Look for users logged on around the same time as the activity occurred as
they may also be compromised. Reset their passwords and enable MFA or, if
you've configured the relevant high-risk user policies in Azure Active
Directory Identity Protection, you can use the Confirm user compromised
action in the Cloud App Security portal.
2. Reset the password if SPN resource access was made that runs under a user
account (not machine account).
Kerberoasting specific suggested steps for prevention and remediation
1. Reset the passwords of the compromised users and enable MFA or, if you've
configured the relevant high-risk user policies in Azure Active Directory
Identity Protection, you can use the Confirm user compromised action in the
Cloud App Security portal.
2. Require use of long and complex passwords for users with service principal
accounts.
3. Replace the user account by Group Managed Service Account (gMSA).
Note
Security principal reconnaissance (LDAP) alerts are supported by Defender for
Identity sensors only.
USER AND GROUP MEMBERSHIP RECONNAISSANCE (SAMR) (EXTERNAL ID 2021)
Previous name: Reconnaissance using directory services queries
Description
User and group membership reconnaissance are used by attackers to map the
directory structure and target privileged accounts for later steps in their
attack. The Security Account Manager Remote (SAM-R) protocol is one of the
methods used to query the directory to perform this type of mapping. In this
detection, no alerts are triggered in the first month after Defender for
Identity is deployed (learning period). During the learning period, Defender for
Identity profiles which SAM-R queries are made from which computers, both
enumeration and individual queries of sensitive accounts.
Learning period
Four weeks per domain controller starting from the first network activity of
SAMR against the specific DC.
MITRE
Table 5 Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account
Discovery (T1087), Permission Groups Discovery (T1069) MITRE attack
sub-technique Domain Account (T1087.002), Domain Group (T1069.002)
TP, B-TP, or FP
1. Select the source computer to go to its profile page.
* Is the source computer supposed to generate activities of this type?
* If yes, Close the security alert and exclude that computer, as a B-TP
activity.
* Check the user/s that performed the operation.
* Do those users normally log into that source computer, or are they
administrators that should be performing those specific actions?
* Check the user profile, and their related user activities. Understand
their normal user behavior and search for additional suspicious activities
using the user investigation guide.
If you answered yes to the previous above, Close the alert as a B-TP
activity.
Understand the scope of the breach
1. Check the queries that were performed, for example, Enterprise admins, or
Administrator, and determine if they were successful.
2. Investigate each exposed user using the user investigation guide.
3. Investigate the source computer.
Suggested remediation and steps for prevention
1. Contain the source computer.
2. Find and remove the tool that performed the attack.
3. Look for users logged on around the same time as the activity, as they may
also be compromised. Reset their passwords and enable MFA or, if you've
configured the relevant high-risk user policies in Azure Active Directory
Identity Protection, you can use the Confirm user compromised action in the
Cloud App Security portal.
4. Reset the source user password and enable MFA or, if you've configured the
relevant high-risk user policies in Azure Active Directory Identity
Protection, you can use the Confirm user compromised action in the Cloud App
Security portal.
5. Apply Network access and restrict clients allowed to make remote calls to
SAM group policy.
USER AND IP ADDRESS RECONNAISSANCE (SMB) (EXTERNAL ID 2012)
Previous name: Reconnaissance using SMB Session Enumeration
DESCRIPTION
Enumeration using Server Message Block (SMB) protocol enables attackers to get
information about where users recently logged on. Once attackers have this
information, they can move laterally in the network to get to a specific
sensitive account.
In this detection, an alert is triggered when an SMB session enumeration is
performed against a domain controller.
MITRE
Description Primary MITRE tactic Discovery (TA0007) MITRE attack technique
Account Discovery (T1087), System Network Connections Discovery (T1049) MITRE
attack sub-technique Domain Account (T1087.002)
TP, B-TP, or FP
Security scanners and applications may legitimately query domain controllers for
open SMB sessions.
1. Is this source computer supposed to generate activities of this type?
2. Is there some kind of security scanner running on the source computer? If
the answer is yes, it's probably a B-TP activity. Close the security alert
and exclude that computer.
3. Check the users that performed the operation. Are those users supposed to
perform those actions? If the answer is yes, Close the security alert as a
B-TP activity.
Understand the scope of the breach
1. Investigate the source computer.
2. On the alert page, check if there are any exposed users. To further
investigate each exposed user, check their profile. We recommend you begin
your investigation with sensitive and high investigation priority users.
Suggested remediation and steps for prevention
1. Contain the source computer.
2. Find and remove the tool that performed the attack.
Note
To disable any Defender for Identity security alert, contact support.
Compromised credential alert tutorial
SEE ALSO
* Investigate a computer
* Investigate a user
* Working with security alerts
* Compromised credential alerts
* Lateral movement alerts
* Domain dominance alerts
* Exfiltration alerts
* Defender for Identity SIEM log reference
* Working with lateral movement paths
* Check out the Defender for Identity forum!
IS THIS PAGE HELPFUL?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback
will be used to improve Microsoft products and services. Privacy policy.
Skip Submit
Thank you.
--------------------------------------------------------------------------------
RECOMMENDED CONTENT
* MICROSOFT DEFENDER FOR IDENTITY COMPROMISED CREDENTIALS PHASE SECURITY ALERTS
This article explains the Microsoft Defender for Identity alerts issued when
attacks typical of the compromised credentials phase are detected against
your organization.
* MICROSOFT DEFENDER FOR IDENTITY DOMAIN DOMINANCE SECURITY ALERTS
This article explains the Microsoft Defender for Identity alerts issued when
attacks typically part of domain dominance phase efforts are detected against
your organization.
* MICROSOFT DEFENDER FOR IDENTITY LATERAL MOVEMENT SECURITY ALERTS
This article explains the Microsoft Defender for Identity alerts issued when
attacks typically part of lateral movement phase efforts are detected against
your organization.
* MICROSOFT DEFENDER FOR IDENTITY CLEAR TEXT EXPOSURE ASSESSMENT
This article provides an overview of Microsoft Defender for Identity's clear
text exposure identity security posture assessment report.
* MICROSOFT DEFENDER FOR IDENTITY SIEM LOG REFERENCE
Provides samples of suspicious activity logs sent from Microsoft Defender for
Identity to your SIEM.
* MICROSOFT DEFENDER FOR IDENTITY SECURITY ALERT GUIDE
This article provides a list of the security alerts issued by Microsoft
Defender for Identity.
* MICROSOFT DEFENDER FOR IDENTITY COMPUTER INVESTIGATION TUTORIAL
This article explains how to use Microsoft Defender for Identity security
alerts to investigate a suspicious computer.
* CONFIGURE WINDOWS EVENT COLLECTION MICROSOFT DEFENDER FOR IDENTITY
In this step of installing Microsoft Defender for Identity, you configure
Windows Event collection.
Show more
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
English (United States)
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Version Docs
* Blog
* Contribute
* Privacy & Cookies
* Terms of Use
* Trademarks
* © Microsoft 2021
IS THIS PAGE HELPFUL?
Yes No
Any additional feedback?
Feedback will be sent to Microsoft: By pressing the submit button, your feedback
will be used to improve Microsoft products and services. Privacy policy.
Skip Submit
Thank you.
IN THIS ARTICLE
1. Account enumeration reconnaissance (external ID 2003)
2. Active Directory attributes reconnaissance (LDAP) (external ID 2210)
3. Network-mapping reconnaissance (DNS) (external ID 2007)
4. Security principal reconnaissance (LDAP) (external ID 2038)
5. User and Group membership reconnaissance (SAMR) (external ID 2021)
6. User and IP address reconnaissance (SMB) (external ID 2012)
7. See Also
English (United States)
Theme
* Light
* Dark
* High contrast
* Manage cookies
* Previous Version Docs
* Blog
* Contribute
* Privacy & Cookies
* Terms of Use
* Trademarks
* © Microsoft 2021