Potential Active Directory Reconnaissance/Enumeration Via LDAP

 1title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
 2id: 31d68132-4038-47c7-8f8e-635a39a7c174
 3status: test
 4description: Detects potential Active Directory enumeration via LDAP
 5references:
 6    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
 7    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
 8    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
 9    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
10    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
11    - https://ipurple.team/2024/07/15/sharphound-detection/
12author: Adeem Mawani
13date: 2021-06-22
14modified: 2024-08-27
15tags:
16    - attack.discovery
17    - attack.t1069.002
18    - attack.t1087.002
19    - attack.t1482
20logsource:
21    product: windows
22    service: ldap
23    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
24detection:
25    generic_search:
26        EventID: 30
27        SearchFilter|contains:
28            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
29            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
30            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
31            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
32            - '(sAMAccountType=805306369)'
33            - '(sAMAccountType=805306368)'
34            - '(sAMAccountType=536870913)'
35            - '(sAMAccountType=536870912)'
36            - '(sAMAccountType=268435457)'
37            - '(sAMAccountType=268435456)'
38            - '(objectCategory=groupPolicyContainer)'
39            - '(objectCategory=organizationalUnit)'
40            - '(objectCategory=Computer)'
41            - '(objectCategory=nTDSDSA)'
42            - '(objectCategory=server)'
43            - '(objectCategory=domain)'
44            - '(objectCategory=person)'
45            - '(objectCategory=group)'
46            - '(objectCategory=user)'
47            - '(objectClass=trustedDomain)'
48            - '(objectClass=computer)'
49            - '(objectClass=server)'
50            - '(objectClass=group)'
51            - '(objectClass=user)'
52            - '(primaryGroupID=521)'
53            - '(primaryGroupID=516)'
54            - '(primaryGroupID=515)'
55            - '(primaryGroupID=512)'
56            - 'Domain Admins'
57            - 'objectGUID=\*'
58            - '(schemaIDGUID=\*)'
59            - 'admincount=1'
60    distinguished_name_enumeration:
61        EventID: 30
62        SearchFilter: '(objectclass=\*)'
63        DistinguishedName|contains:
64            - 'CN=Domain Admins'
65            - 'CN=Enterprise Admins'
66            - 'CN=Group Policy Creator Owners'
67    suspicious_flag:
68        EventID: 30
69        SearchFilter|contains:
70            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
71            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
72            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
73            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
74            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
75            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
76            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
77            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
78            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
79            - 'msDS-AllowedToDelegateTo'
80            - 'msDS-GroupManagedServiceAccount'
81            - '(accountExpires=9223372036854775807)'
82            - '(accountExpires=0)'
83            - '(adminCount=1)'
84            - 'ms-MCS-AdmPwd'
85    narrow_down_filter:
86        EventID: 30
87        SearchFilter|contains:
88            - '(domainSid=*)'
89            - '(objectSid=*)'
90    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
91level: medium

References

• Hunting for reconnaissance activities using LDAP search filters

  

  Attackers are known to use LDAP to gather information about users, machines, and the domain structure. Attackers can then take over high-privileged accounts by..

  
  Read More

• PowerSploit/Recon/PowerView.ps1 at d943001a7defb5e0d1657085a77a0e78609be58f · PowerShellMafia/PowerSploit

  

  PowerSploit - A PowerShell Post-Exploitation Framework - PowerShellMafia/PowerSploit

  
  Read More

• SharpHound3/SharpHound3/LdapBuilder.cs at 7d96b991b1887ff50349ce59c80980bc0d95c86a · BloodHoundAD/SharpHound3

  

  C# Data Collector for the BloodHound Project, Version 3 - BloodHoundAD/SharpHound3

  
  Read More

• FalconFriday — Detecting Active Directory Data Collection  — 0xFF21

  

  Active Directory data collection

  
  Read More

• BloodHound.py/bloodhound/ad/domain.py at d65eb614831cd30f26028ccb072f5e77ca287e0b · dirkjanm/BloodHound.py

  

  A Python based ingestor for BloodHound. Contribute to dirkjanm/BloodHound.py development by creating an account on GitHub.

  
  Read More

• SharpHound Detection

  

  BloodHound is an attack path management solution which can discover hidden relationships in Active Directory by performing data analysis to identify paths in the domain that will lead to lateral mo…

  
  Read More

Related rules

• BloodHound Collection Files
• HackTool - Bloodhound/Sharphound Execution
• Malicious PowerShell Commandlets - PoshModule
• Malicious PowerShell Commandlets - ProcessCreation
• Malicious PowerShell Commandlets - ScriptBlock