• QOMPLX Knowledge
  • Apr 27, 2021
  • By QOMPLX

QOMPLX Knowledge: Detecting Account Name Enumeration

QOMPLX Knowledge: Detecting Account Name Enumeration

This is the latest in a series of posts we’re calling “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

One of the first things that an attacker does after gaining access to your environment is reconnaissance. The goal is to move off of the system that provided an initial foothold and to establish a presence on other, higher value IT assets up to and including the domain controller. To do that, attackers will try to determine both what IT assets are deployed in the environment and whether accounts with elevated permissions exist that will allow them to gain access to those systems.

Identifying valid user accounts within the environment, therefore, is a critical step. For defenders, monitoring an environment for scripted or automated efforts to identify (or “enumerate”) valid accounts is an effective way to detect suspicious activity or malicious activity at an early stage. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot this kind of malicious account enumeration activity, which often is an early indication that an attack is taking place.

Key Points

  • Monitoring for excessive Kerberos Authentication tickets requests issued from a single source with no pre-authentication is critical to spotting attempts at user account enumeration.
  • Account enumeration can set up follow-on attacks such as password spraying designed to grant access to user accounts with elevated permissions.
  • Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested) is associated with this activity and should be monitored closely for excess requests.
  • QOMPLX IA allows users to monitor for excess TGT requests and identify compromised accounts before lateral movement takes place.

How Account Enumeration Works

Attackers who have gained access to any segment of a target environment are in a position to do reconnaissance on that environment and enable further attacks. Gathering usernames and passwords for other network user and administrator accounts is a critical element of that reconnaissance.

To identify valid users, attackers will likely combine information they’ve gathered, such as employee or customer names gathered using open source research and use automated tools to quickly test for active accounts.

Vulnerabilities in key infrastructure like Active Directory and Kerberos help them in their work. For example, when Kerberos is sent an authentication request (TGT) request with no preauthentication for an invalid username, it responds with a specific message: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.  TGTs for valid usernames return a KRB5KDC_ERR_PREAUTH_REQUIRED response or a TGT in a AS-REP response.  

Using tools like Metasploit, nmap or Kerbrute, attackers can cycle through thousands of possible usernames in a matter of minutes and use these standardized responses to identify valid accounts.

QOMPLX Detection

QOMPLX Identity Assurance (IA) uses windowed detection rules to monitor for Windows Event ID 4768 (a Kerberos authentication ticket (TGT) was requested). QOMPLX IA looks for excessive tickets with no pre-authentication requested from a single source. Such activity is suggestive of a dictionary attack or other effort to enumerate account names.

The earlier your organization can detect and respond to the early stage malicious activities like username enumeration, the more likely you will be to stop the attacker before damage can be done.

Additional Reading

QOMPLX Knowledge: Detecting New Members Added To Sensitive Groups

QOMPLX Knowledge: Detecting Password Spraying Attacks

Q:CYBER Ingesting Windows Event Logs

Q:CYBER Using Windowed Rules for Advanced Detection

QOMPLX Knowledge: Golden Ticket Attacks Explained

QOMPLX Knowledge: Silver Ticket Attacks Explained

QOMPLX Knowledge: Responding to Golden Ticket Attacks

QOMPLX Knowledge: DCSync Attacks Explained

QOMPLX Knowledge: DCShadow Attacks Explained

QOMPLX Knowledge: Pass-the-Ticket Attacks Explained

QOMPLX Knowledge: Kerberoasting Attacks Explained

Learn More

Use the following form to request more information about QOMPLX detection of sophisticated attacks and other threats.

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.