Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Defender for Identity

Task 2.1: User and IP address reconnaissance (SMB)

In this detection, an alert is triggered when an SMB session enumeration is performed against a domain controller.

Users and computers need to at least access the SYSVOL share to retrieve GPOs. Attackers can use this information to know where users recently signed in and move laterally in the network to get to a specific sensitive account.

Tools used in this test: https://www.joeware.net/freetools/tools/netsess/.

  1. Open a new RDP session to WIN5 using the WIN5.rdp file in the Downloads folder and then select More choices/Use a different account to sign in using MSMDI\JeffL using the password Passw0rd12!@

  2. In the Windows search field, enter CMD and then open a Command Prompt.

  3. Run the following command:

     c:\Tools\Netsess\NetSess.exe DC01

    You can safely ignore any errors that appear when running the command.

For more information, review User and IP address reconnaissance (SMB) (external ID 2012).