In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential Brute-force Username Detection (user enumeration) attack, understand the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policies to generate logon failure events must be enabled on all Domain Controllers. This includes policies for Audit Kerberos Authentication Service (for Event IDs 4768, 4771) and Audit Credential Validation (for Event IDs 4625, 4776).

Steps to follow  

The process for handling a Brute-force Username Detection attack involves detection, immediate remediation, and prevention.

Part 1: Detecting the attack  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Brute-force Username Detection.

2. This report shows all detections of a high volume of logon failures with unknown usernames originating from a single machine.

Part 2: Understanding the detection criteria  

ADAudit Plus detects a potential username enumeration attack based on the following pattern:

• Description: An attacker attempts to authenticate with multiple unknown usernames from the same machine in a short period of time. This is a reconnaissance technique used to discover valid usernames for future attacks.

• Detection Logic:

• Any of the following four events are detected 10 times within 5 minutes from the same machine with unknown usernames.

• Event 1:

• Event code equals 4771 (Kerberos pre-authentication failed).

• Failure code equals 0x6 (Client not found in Kerberos database).

• Account name does not end with $.

• Event 2:

• Event code equals 4625 (An account failed to log on).

• Sub Status equals 0xC0000064 (User name does not exist).

• Account name does not end with $.

• Event 3:

• Event code equals 4768 (A Kerberos authentication ticket (TGT) was requested).

• Result code equals 0x6 (Client name not found in Kerberos database).

• Account name does not end with $.

• Event 4:

• Event code equals 4776 (The computer attempted to validate the credentials for an account).

• Result code equals 0xC0000064 (User name does not exist).

• Logon Account does not end with $.

Part 3: Immediate remediation  

If this activity is detected, act immediately to stop the reconnaissance.

1. Block the Source IP Address: The event logs and the ADAudit Plus report will show the source machine/IP address. Immediately block this IP address at your network firewall to stop the attack.

2. Investigate the Source: If the source IP address is internal, it indicates a compromised machine on your network. Isolate the machine and perform a forensic analysis to identify and remove the tool being used for the enumeration.

3. Review Exposed Services: Determine which service is being targeted (e.g., RDP, OWA, VPN). If the attack originates from an external IP, review the security of that internet-facing service.

Validation and confirmation  

• After blocking the source IP, the Brute-force Username Detection report in ADAudit Plus should show a cessation of the attack from that source.

• Network logs should confirm that traffic from the malicious IP is being dropped.

• If an internal machine was compromised, it should be cleaned and monitored before being returned to the network.

Tips  

The following best practices can help prevent and mitigate username enumeration attacks.

Account Lockout Policies  

• While not directly preventing username enumeration, a strong account lockout policy can prevent subsequent password spraying or brute-force attacks against any discovered usernames.

Secure Internet-Facing Services  

• Implement Multi-Factor Authentication (MFA) on all external-facing services like VPNs and OWA. MFA makes username discovery significantly less valuable to an attacker.

• Use a Web Application Firewall (WAF) to detect and block automated scanning and brute-force attempts against web applications.

Network Security  

• Use an Intrusion Prevention System (IPS) to detect and block reconnaissance activity at the network perimeter.

• Restrict access to management ports (like RDP and WinRM) from the internet. All administrative access should be performed over a secure, MFA-protected VPN.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus