Enumeration via the Global Catalog
Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
Sigma rule (View on GitHub)
1title: Enumeration via the Global Catalog
2id: 619b020f-0fd7-4f23-87db-3f51ef837a34
3status: unsupported
4description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
5references:
6 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
7author: Chakib Gzenayi (@Chak092), Hosni Mribah
8date: 2020/05/11
9modified: 2023/02/24
10tags:
11 - attack.discovery
12 - attack.t1087.002
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
17detection:
18 selection:
19 EventID: 5156
20 DestPort:
21 - 3268
22 - 3269
23 timeframe: 1h
24 condition: selection | count() by SourceAddress > 2000
25falsepositives:
26 - Exclude known DCs.
27level: medium
References
-
Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
Read More
Related rules
- Reconnaissance Activity
- Account Enumeration on AWS
- Network Scans Count By Destination IP
- Network Scans Count By Destination Port
- Potential Backup Enumeration on AWS