Microsoft Defender for Identity Alert Details
Alert ID: MDI-ACCT-DISCOVERY-1087-7842 Alert Time: 2024-02-23 14:15:33 EST Severity: MEDIUM (72/100) Source: Microsoft Defender for Identity Rule: “Suspicious Account Enumeration via SAMR” MITRE ATT&CK: T1087.002 – Account Discovery: Domain Account
Alert Details:
Detection: Multiple SAMR (Security Account Manager Remote) queries from single host
Source Host: ENG-WS-045 (Engineering Workstation) User: rpatel@company.com (Raj Patel, Engineer) Time: 14:10-14:15 EST
SAMR Queries:
14:10:15 – SamrEnumerateDomainsInSamServer (enumerate domains)
14:10:30 – SamrLookupDomainInSamServer (get domain SID)
14:10:45 – SamrOpenDomain (open domain handle)
14:11:00 – SamrEnumerateUsersInDomain (list all users) – 3,247 users enumerated
14:11:30 – SamrEnumerateGroupsInDomain (list all groups)
14:12:00 – SamrQueryInformationUser (detailed info for specific users)
14:12:30 – SamrQueryInformationGroup (detailed info for admin groups)
Targeted Accounts:
Domain Admins group – queried
Enterprise Admins group – queried
krbtgt account – queried
All users with “admin” in name – queried
Service accounts – queried
Detection Logic:
3,247 user accounts enumerated (high volume)
Process: powershell.exe (using ADSI or .NET)
Parent: cmd.exe launched by user rpatel
User normally does not perform account discovery
Pattern matches adversary reconnaissance
Additional Context:
User rpatel had previous security incidents
No legitimate business need for domain-wide enumeration
Queries performed via PowerShell (unusual for this user)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed domain account enumeration
2. Process Investigation
Identify PowerShell script
CrowdStrike Falcon
Found PowerView script (Active Directory reconnaissance tool)
3. User Interview
Contact rpatel
Teams, Phone
User claims “researching security” – unauthorized
4. Tool Removal
Delete PowerView script
CrowdStrike Live Response
Script removed from Downloads folder
5. User Remediation
User counseling
Manager, HR
Policy violation documented
6. Threat Hunting
Check for other enumeration
MDI, Splunk
No other hosts with same activity
Jira Incident Report
Ticket: SOC-2024-117 Summary: T1087 – Domain Account Discovery via PowerView Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1087, account-discovery, powerview, mdi, policy-violation Components: Identity-Monitoring, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious Account Enumeration via SAMR”.
Source Host: ENG-WS-045 (Engineering Department, user rpatel).
Time: 2024-02-23 14:15 EST.
Technique: MITRE ATT&CK T1087.002 – Account Discovery: Domain Account.
2. Technical Analysis:
Enumeration Details:
Tool: PowerView.ps1 (Active Directory reconnaissance script)
Commands Executed:
Get-NetUser – enumerated all 3,247 domain users
Get-NetGroup – enumerated all domain groups
Get-NetGroupMember -GroupName “Domain Admins” – listed all domain admins
Get-NetUser -Username *admin* – searched for admin accounts
Get-NetComputer – listed all domain computers
Scope of Enumeration:
All domain users (3,247 accounts)
All domain groups (487 groups)
Domain Admins group (12 members)
Enterprise Admins group (5 members)
Service accounts (234 accounts)
Domain controllers (4)
File servers (23)
User Intent:
User claimed “researching security for a presentation”
No malicious intent identified
No data exfiltration
No unauthorized access attempted
Policy Violation:
No authorization for security testing
PowerView is penetration testing tool
Domain enumeration violates acceptable use policy
3. Investigation Findings:
Timeline:
14:10-14:15 – Enumeration performed
14:15 – MDI alert
14:17 – SOC investigates
14:20 – User contacted
14:25 – PowerView script identified and removed
14:30 – User interview complete
Indicators of Compromise (IoCs):
Files:
– C:\Users\rpatel\Downloads\PowerView.ps1 (SHA256: a1b2c3d4…)
Commands:
– Get-NetUser, Get-NetGroup, Get-NetGroupMember
Process:
– powershell.exe executing PowerView functions
4. Containment Actions:
Immediate Actions:
Removed PowerView script from Downloads folder.
Cleared PowerShell history.
No isolation needed (non-malicious activity).
User Remediation:
User counseled on policy violation.
Required to complete security awareness training.
Documentation sent to manager for review.
Monitoring:
Enhanced monitoring for this user’s account.
No further suspicious activity observed.
5. Root Cause Analysis:
Primary Cause: User downloaded and executed unauthorized reconnaissance tool.
Contributing Factors:
No application control blocking PowerView.
User unaware of policy against domain enumeration.
Curiosity about security without authorization.
6. Business Impact:
Operational Impact: None.
Data Exposure: None (information already accessible to user).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
Tool removed.
User educated.
Policy documented.
Technical Controls Enhanced:
Created alert for PowerView script execution.
Enhanced monitoring for SAMR enumeration.
Deployed application control to block unauthorized reconnaissance tools.
8. Conclusion:
An engineer downloaded and executed PowerView, performing extensive domain account discovery without authorization. MDI detected the anomalous SAMR queries, enabling identification and removal of the tool. The activity was a policy violation, not malicious.
Closure Rationale: Tool removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-23 15:30 EST