This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.
One of the first things that an attacker does after gaining access to your environment is reconnaissance. The goal is to move off of the system that provided an initial foothold and to establish a presence on other, higher value IT assets up to and including the domain controller. To do that, attackers will try to determine both what IT assets are deployed in the environment and whether accounts with elevated permissions exist that will allow them to gain access to those systems.
Identifying valid user accounts within the environment, therefore, is a critical step. For defenders, monitoring an environment for scripted or automated efforts to identify (or “enumerate”) valid accounts is an effective way to detect suspicious activity or malicious activity at an early stage. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot this kind of malicious account enumeration activity, which often is an early indication that an attack is taking place.
- Monitoring for excessive Kerberos Authentication tickets requests issued from a single source with no pre-authentication is critical to spotting attempts at user account enumeration.
- Account enumeration can set up follow-on attacks such as password spraying designed to grant access to user accounts with elevated permissions.
- Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested) is associated with this activity and should be monitored closely for excess requests.
- QOMPLX IA allows users to monitor for excess TGT requests and identify compromised accounts before lateral movement takes place.
How Account Enumeration Works
Attackers who have gained access to any segment of a target environment are in a position to do reconnaissance on that environment and enable further attacks. Gathering usernames and passwords for other network user and administrator accounts is a critical element of that reconnaissance.
To identify valid users, attackers will likely combine information they’ve gathered, such as employee or customer names gathered using open source research and use automated tools to quickly test for active accounts.
Vulnerabilities in key infrastructure like Active Directory and Kerberos help them in their work. For example, when Kerberos is sent an authentication request (TGT) request with no preauthentication for an invalid username, it responds with a specific message: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN. TGTs for valid usernames return a KRB5KDC_ERR_PREAUTH_REQUIRED response or a TGT in a AS-REP response.
Using tools like Metasploit, nmap or Kerbrute, attackers can cycle through thousands of possible usernames in a matter of minutes and use these standardized responses to identify valid accounts.
QOMPLX Identity Assurance (IA) uses windowed detection rules to monitor for Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested). QOMPLX IA looks for excessive tickets with no pre-authentication requested from a single source. Such activity is suggestive of a dictionary attack or other effort to enumerate account names.
The earlier your organization can detect and respond to the early stage malicious activities like username enumeration, the more likely you will be to stop the attacker before damage can be done.
Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.