Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Enumeration is a simple but important step taken by attackers after an initial network compromise. Reconnaissance tools such as BloodHound make the process of collecting information about the network relatively easy to perform. Enumeration activity typically does not negatively affect network performance, but attackers can leverage this information to find new targets in an attack campaign.
The system might change the risk score for this detection.
Kill Chain
Risk Score
37
Kerberos is an authentication protocol that creates tickets encrypted with account keys to verify identity and permissions. A ticket contains user, computer, or service account credentials that are encrypted with a cipher algorithm. When a user attempts to access a service, a Kerberos request with a client principal name (CPN) is sent to the Key Distribution Center (KDC) on a domain controller. A CPN is a unique identifier for an account that contains the username and realm (or domain) of the account, such as user@example-domain.com. The KDC processes the request and ultimately returns a ticket or an error message to the user. If the user submits a CPN that does not exist, the KDC informs the user with an error such as KDC_ERR_C_PRINCIPAL_UNKNOWN. An attacker performing Active Directory reconnaissance can take advantage of this error message to learn which CPNs exist in the domain.
Limit the number of account login attempts and block users that exceed this number
