• Back

Blog

We take a look at how QOMPLX’s technology helps customers to spot malicious account enumeration activity, which often is an early indication that an attack is taking place.

QOMPLX Knowledge: Detecting Account Name Enumeration

Table of Contents

QOMPLX Knowledge: Detecting Account Name Enumeration

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

One of the first things that an attacker does after gaining access to your environment is reconnaissance. The goal is to move off of the system that provided an initial foothold and to establish a presence on other, higher value IT assets up to and including the domain controller. To do that, attackers will try to determine both what IT assets are deployed in the environment and whether accounts with elevated permissions exist that will allow them to gain access to those systems.

Identifying valid user accounts within the environment, therefore, is a critical step. For defenders, monitoring an environment for scripted or automated efforts to identify (or “enumerate”) valid accounts is an effective way to detect suspicious activity or malicious activity at an early stage. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot this kind of malicious account enumeration activity, which often is an early indication that an attack is taking place.

Key Points

  • Monitoring for excessive Kerberos Authentication tickets requests issued from a single source with no pre-authentication is critical to spotting attempts at user account enumeration.
  • Account enumeration can set up follow-on attacks such as password spraying designed to grant access to user accounts with elevated permissions.
  • Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested) is associated with this activity and should be monitored closely for excess requests.
  • QOMPLX IA allows users to monitor for excess TGT requests and identify compromised accounts before lateral movement takes place.

How Account Enumeration Works

Attackers who have gained access to any segment of a target environment are in a position to do reconnaissance on that environment and enable further attacks. Gathering usernames and passwords for other network user and administrator accounts is a critical element of that reconnaissance.

To identify valid users, attackers will likely combine information they’ve gathered, such as employee or customer names gathered using open source research and use automated tools to quickly test for active accounts.

Vulnerabilities in key infrastructure like Active Directory and Kerberos help them in their work. For example, when Kerberos is sent an authentication request (TGT) request with no preauthentication for an invalid username, it responds with a specific message: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.  TGTs for valid usernames return a KRB5KDC_ERR_PREAUTH_REQUIRED response or a TGT in a AS-REP response.  

Using tools like Metasploit, nmap or Kerbrute, attackers can cycle through thousands of possible usernames in a matter of minutes and use these standardized responses to identify valid accounts.

QOMPLX Detection

QOMPLX Identity Assurance (IA) uses windowed detection rules to monitor for Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested). QOMPLX IA looks for excessive tickets with no pre-authentication requested from a single source. Such activity is suggestive of a dictionary attack or other effort to enumerate account names.

The earlier your organization can detect and respond to the early stage malicious activities like username enumeration, the more likely you will be to stop the attacker before damage can be done.

Additional Reading

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.

Related Posts in Series

Card image cap
QOMPLX releases the Arkscrape Community Edition: open source internet archiving for investigators and researchers

Published Jul 28, 2021

Card image cap
Ex-Military Cyber Experts To Take Game-Changing $1.5 Billion Startup Public

Published Jul 20, 2021

Card image cap
QOMPLX Reboots Punkspider

Published Jul 20, 2021

Card image cap
Crawler to the People! Punkspider Returns With Eyes On OWASP Top 10

Published Jul 20, 2021