learn.microsoft.com
Open in
urlscan Pro
2600:141b:e800:138d::3544
Public Scan
Submitted URL: https://aka.ms/atasaguide-recsmb
Effective URL: https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts
Submission: On September 21 via manual from US — Scanned from US
Effective URL: https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts
Submission: On September 21 via manual from US — Scanned from US
Form analysis 3 forms found in the DOM
Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control ">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input" data-test-id="site-search-input" class="autocomplete-input input input-sm
" type="search" name="terms" aria-expanded="false" aria-owns="ax-54-listbox" aria-controls="ax-54-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-description" placeholder="Search" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left" hidden="">
<span class="has-text-primary docon docon-"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-54-listbox" data-test-id="site-search-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>Name: nav-bar-search-form — GET /en-us/search/
<form class="nav-bar-search-form" method="GET" name="nav-bar-search-form" role="search" id="nav-bar-search-form-desktop" aria-label="Search" action="/en-us/search/">
<div class="autocomplete" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-search-input-desktop" data-test-id="site-search-input-desktop" class="autocomplete-input input input-sm
control has-icons-left
" type="search" name="terms" aria-expanded="false" aria-owns="ax-55-listbox" aria-controls="ax-55-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-search-input-desktop-description" placeholder="Search"
pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-search"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--site-search-input-desktop-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-55-listbox" data-test-id="site-search-input-desktop-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
<!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
<button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
<input name="category" hidden="" value="">
</form>javascript:
<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-61">Search</label>
<div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
<div class="field-body control has-icons-left">
<input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-61" data-test-id="ax-61" class="autocomplete-input input input-sm
control has-icons-left
width-full" type="text" aria-expanded="false" aria-owns="ax-62-listbox" aria-controls="ax-62-listbox" aria-activedescendant="" aria-describedby="ms--ax-61-description" placeholder="Filter by title" pattern=".*">
<span aria-hidden="true" class="icon is-small is-left">
<span class="has-text-primary docon docon-filter-settings"></span>
</span>
<span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
<span hidden="" id="ms--ax-61-description"> Suggestions will filter as you type </span>
</div>
<ul role="listbox" id="ax-62-listbox" data-test-id="ax-61-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
</ul>
<!---->
</div>
</form>Text Content
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Documentation
Global navigation
* Learn
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
* More
* Documentation
* Training
* Credentials
* Q&A
* Code Samples
* Assessments
* Shows
Suggestions will filter as you type
Suggestions will filter as you type
Search
Sign in
* Profile
* Settings
Sign out
Microsoft Defender
* Defender products & services
* Microsoft 365 Defender
* Microsoft 365 Defender for Business
* Microsoft Defender Antivirus
* Microsoft Defender Application Guard
* Microsoft Defender External Attack Surface Management
* Microsoft Defender for Cloud
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Defender for IoT
* Microsoft Defender for Office 365
* Microsoft Defender Smartscreen
* Microsoft Defender Threat Intelligence
* Microsoft Defender Vulnerability Management
* Windows Defender Application Control
* Windows Defender Firewall
* Security resources
* Microsoft security documentation
* Azure security documentation
* Microsoft 365 security documentation
* More
* Defender products & services
* Microsoft 365 Defender
* Microsoft 365 Defender for Business
* Microsoft Defender Antivirus
* Microsoft Defender Application Guard
* Microsoft Defender External Attack Surface Management
* Microsoft Defender for Cloud
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
* Microsoft Defender for IoT
* Microsoft Defender for Office 365
* Microsoft Defender Smartscreen
* Microsoft Defender Threat Intelligence
* Microsoft Defender Vulnerability Management
* Windows Defender Application Control
* Windows Defender Firewall
* Security resources
* Microsoft security documentation
* Azure security documentation
* Microsoft 365 security documentation
Table of contents Exit focus mode
Search
Suggestions will filter as you type
* Microsoft Defender for Identity Documentation
* Overview
* Get started
* Quick installation guide
* Deploy Defender for Identity with Microsoft 365 Defender
* Prepare
* Deploy
* Special scenarios
* Evaluate
* Manage
* Investigate and respond
* Assets
* Lateral movement paths
* Alerts
* Alerts overview
* Understanding security alerts
* Investigate security alerts
* Monitored activities
* Understanding Network Name Resolution (NNR)
* Reconnaissance and discovery alerts
* Persistence and privilege escalation alerts
* Credential access alerts
* Lateral movement alerts
* Other alerts
* Remediation
* Security posture
* Reference
* Microsoft 365 Defender Docs
Download PDF
1. Learn
2. Microsoft Defender for Identity
1. Learn
2. Microsoft Defender for Identity
Read in English Add
Table of contents Read in English Add Edit Print
Twitter LinkedIn Facebook Email
Table of contents
RECONNAISSANCE AND DISCOVERY ALERTS
* Article
* 04/16/2023
* 4 contributors
Feedback
IN THIS ARTICLE
1. Account enumeration reconnaissance (external ID 2003)
2. Network-mapping reconnaissance (DNS) (external ID 2007)
3. User and IP address reconnaissance (SMB) (external ID 2012)
4. User and Group membership reconnaissance (SAMR) (external ID 2021)
5. Active Directory attributes reconnaissance (LDAP) (external ID 2210)
6. Honeytoken was queried via SAM-R (external ID 2426)
7. Honeytoken was queried via LDAP (external ID 2429)
8. See also
Show 4 more
Typically, cyberattacks are launched against any accessible entity, such as a
low-privileged user, and then quickly move laterally until the attacker gains
access to valuable assets. Valuable assets can be sensitive accounts, domain
administrators, or highly sensitive data. Microsoft Defender for Identity
identifies these advanced threats at the source throughout the entire attack
kill chain and classifies them into the following phases:
1. Reconnaissance and discovery
2. Persistence and privilege escalation alerts
3. Credential access alerts
4. Lateral movement alerts
5. Other alerts
To learn more about how to understand the structure, and common components of
all Defender for Identity security alerts, see Understanding security alerts.
For information about True positive (TP), Benign true positive (B-TP), and False
positive (FP), see security alert classifications.
The following security alerts help you identify and remediate Reconnaissance and
discovery phase suspicious activities detected by Defender for Identity in your
network.
Reconnaissance and discovery consist of techniques an adversary may use to gain
knowledge about the system and internal network. These techniques help
adversaries observe the environment and orient themselves before deciding how to
act. They also allow adversaries to explore what they can control and what’s
around their entry point to discover how it could benefit their current
objective. Native operating system tools are often used toward this
post-compromise information-gathering objective. In Microsoft Defender for
Identity, these alerts usually involve internal account enumeration with
different techniques.
ACCOUNT ENUMERATION RECONNAISSANCE (EXTERNAL ID 2003)
Previous name: Reconnaissance using account enumeration
Severity: Medium
Description:
In account enumeration reconnaissance, an attacker uses a dictionary with
thousands of user names, or tools such as KrbGuess in an attempt to guess user
names in the domain.
Kerberos: Attacker makes Kerberos requests using these names to try to find a
valid username in the domain. When a guess successfully determines a username,
the attacker gets the Preauthentication required instead of Security principal
unknown Kerberos error.
NTLM: Attacker makes NTLM authentication requests using the dictionary of names
to try to find a valid username in the domain. If a guess successfully
determines a username, the attacker gets the WrongPassword (0xc000006a) instead
of NoSuchUser (0xc0000064) NTLM error.
In this alert detection, Defender for Identity detects where the account
enumeration attack came from, the total number of guess attempts, and how many
attempts were matched. If there are too many unknown users, Defender for
Identity detects it as a suspicious activity. The alert is based on
authentication events from sensors running on domain controller and AD FS
servers.
Learning period:
None
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087) MITRE attack sub-technique Domain Account (T1087.002)
Suggested steps for prevention:
1. Enforce Complex and long passwords in the organization. Complex and long
passwords provide the necessary first level of security against brute-force
attacks. Brute force attacks are typically the next step in the cyber-attack
kill chain following enumeration.
NETWORK-MAPPING RECONNAISSANCE (DNS) (EXTERNAL ID 2007)
Previous name: Reconnaissance using DNS
Severity: Medium
Description:
Your DNS server contains a map of all the computers, IP addresses, and services
in your network. This information is used by attackers to map your network
structure and target interesting computers for later steps in their attack.
There are several query types in the DNS protocol. This Defender for Identity
security alert detects suspicious requests, either requests using an AXFR
(transfer) originating from non-DNS servers, or those using an excessive number
of requests.
Learning period:
This alert has a learning period of eight days from the start of domain
controller monitoring.
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087), Network Service Scanning (T1046), Remote System Discovery (T1018) MITRE
attack sub-technique N/A
Suggested steps for prevention:
It's important to preventing future attacks using AXFR queries by securing your
internal DNS server.
* Secure your internal DNS server to prevent reconnaissance using DNS by
disabling zone transfers or by restricting zone transfers only to specified
IP addresses. Modifying zone transfers is one task among a checklist that
should be addressed for securing your DNS servers from both internal and
external attacks.
USER AND IP ADDRESS RECONNAISSANCE (SMB) (EXTERNAL ID 2012)
Previous name: Reconnaissance using SMB Session Enumeration
Severity: Medium
Description:
Enumeration using Server Message Block (SMB) protocol enables attackers to get
information about where users recently logged on. Once attackers have this
information, they can move laterally in the network to get to a specific
sensitive account.
In this detection, an alert is triggered when an SMB session enumeration is
performed against a domain controller.
Learning period:
None
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087), System Network Connections Discovery (T1049) MITRE attack sub-technique
Domain Account (T1087.002)
USER AND GROUP MEMBERSHIP RECONNAISSANCE (SAMR) (EXTERNAL ID 2021)
Previous name: Reconnaissance using directory services queries
Severity: Medium
Description:
User and group membership reconnaissance are used by attackers to map the
directory structure and target privileged accounts for later steps in their
attack. The Security Account Manager Remote (SAM-R) protocol is one of the
methods used to query the directory to perform this type of mapping. In this
detection, no alerts are triggered in the first month after Defender for
Identity is deployed (learning period). During the learning period, Defender for
Identity profiles which SAM-R queries are made from which computers, both
enumeration and individual queries of sensitive accounts.
Learning period:
Four weeks per domain controller starting from the first network activity of
SAMR against the specific DC.
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087), Permission Groups Discovery (T1069) MITRE attack sub-technique Domain
Account (T1087.002), Domain Group (T1069.002)
Suggested steps for prevention:
1. Apply Network access and restrict clients allowed to make remote calls to
SAM group policy.
ACTIVE DIRECTORY ATTRIBUTES RECONNAISSANCE (LDAP) (EXTERNAL ID 2210)
Severity: Medium
Description:
Active Directory LDAP reconnaissance is used by attackers to gain critical
information about the domain environment. This information can help attackers
map the domain structure, as well as identify privileged accounts for use in
later steps in their attack kill chain. Lightweight Directory Access Protocol
(LDAP) is one of the most popular methods used for both legitimate and malicious
purposes to query Active Directory.
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087), Indirect Command Execution (T1202), Permission Groups Discovery (T1069)
MITRE attack sub-technique Domain Account (T1087.002), Domain Groups (T1069.002)
Learning period:
None
HONEYTOKEN WAS QUERIED VIA SAM-R (EXTERNAL ID 2426)
Severity: Low
Description:
User reconnaissance is used by attackers to map the directory structure and
target privileged accounts for later steps in their attack. The Security Account
Manager Remote (SAM-R) protocol is one of the methods used to query the
directory to perform this type of mapping. In this detection, Microsoft Defender
for Identity will trigger this alert for any reconnaissance activities against a
pre-configured honeytoken user.
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087) MITRE attack sub-technique Domain Account (T1087.002)
Learning period:
None
HONEYTOKEN WAS QUERIED VIA LDAP (EXTERNAL ID 2429)
Severity: Low
Description:
User reconnaissance is used by attackers to map the directory structure and
target privileged accounts for later steps in their attack. Lightweight
Directory Access Protocol (LDAP) is one of the most popular methods used for
both legitimate and malicious purposes to query Active Directory. In this
detection, Microsoft Defender for Identity will trigger this alert for any
reconnaissance activities against a pre-configured honeytoken user.
MITRE:
Primary MITRE tactic Discovery (TA0007) MITRE attack technique Account Discovery
(T1087) MITRE attack sub-technique Domain Account (T1087.002)
Learning period:
None
SEE ALSO
* Investigate assets
* Understanding security alerts
* Manage security alerts
* Defender for Identity SIEM log reference
* Working with lateral movement paths
* Check out the Defender for Identity forum!
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Documentation
* Persistence and privilege escalation security alerts - Microsoft Defender for
Identity
This article explains Microsoft Defender for Identity alerts issued when
persistence attacks are detected against your organization.
* Lateral movement security alerts - Microsoft Defender for Identity
This article explains the Microsoft Defender for Identity alerts issued when
attacks typically part of lateral movement phase efforts are detected against
your organization.
* Credential access security alerts - Microsoft Defender for Identity
This article explains Microsoft Defender for Identity alerts issued when
credential access attacks are detected against your organization.
* Attack simulations - Microsoft Defender for Identity
Learn how to simulate threats in your environment using the Microsoft
Defender for Identity security lab attack simulations.
* Security alerts - Microsoft Defender for Identity
This article provides a list of the security alerts issued by Microsoft
Defender for Identity.
* Reconnaissance playbook - Microsoft Defender for Identity
The Microsoft Defender for Identity Reconnaissance playbook describes how to
simulate Reconnaissance threats for detection by Defender for Identity.
* Understanding security alerts - Microsoft Defender for Identity
This article explains how to use and understand Microsoft Defender for
Identity security alerts.
* Lateral movement playbook - Microsoft Defender for Identity
The Microsoft Defender for Identity playbook describes how to simulate
lateral movement threats for detection by Defender for Identity.
Show 5 more
--------------------------------------------------------------------------------
Training
Module
Defend against attacks with Microsoft Defender for Identity - Training
Learn how Microsoft Defender for Identity helps you to protect your environment
against different types of threats by enabling you to detect and investigate
attempts to compromise credentials, lateral movement attacks, reconnaissance
activity, and more.
English (United States)
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023
ADDITIONAL RESOURCES
--------------------------------------------------------------------------------
Training
Module
Defend against attacks with Microsoft Defender for Identity - Training
Learn how Microsoft Defender for Identity helps you to protect your environment
against different types of threats by enabling you to detect and investigate
attempts to compromise credentials, lateral movement attacks, reconnaissance
activity, and more.
--------------------------------------------------------------------------------
Documentation
* Persistence and privilege escalation security alerts - Microsoft Defender for
Identity
This article explains Microsoft Defender for Identity alerts issued when
persistence attacks are detected against your organization.
* Lateral movement security alerts - Microsoft Defender for Identity
This article explains the Microsoft Defender for Identity alerts issued when
attacks typically part of lateral movement phase efforts are detected against
your organization.
* Credential access security alerts - Microsoft Defender for Identity
This article explains Microsoft Defender for Identity alerts issued when
credential access attacks are detected against your organization.
* Attack simulations - Microsoft Defender for Identity
Learn how to simulate threats in your environment using the Microsoft
Defender for Identity security lab attack simulations.
* Security alerts - Microsoft Defender for Identity
This article provides a list of the security alerts issued by Microsoft
Defender for Identity.
* Reconnaissance playbook - Microsoft Defender for Identity
The Microsoft Defender for Identity Reconnaissance playbook describes how to
simulate Reconnaissance threats for detection by Defender for Identity.
* Understanding security alerts - Microsoft Defender for Identity
This article explains how to use and understand Microsoft Defender for
Identity security alerts.
* Lateral movement playbook - Microsoft Defender for Identity
The Microsoft Defender for Identity playbook describes how to simulate
lateral movement threats for detection by Defender for Identity.
Show 5 more
IN THIS ARTICLE
English (United States)
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023