Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
Sigma rule (View on GitHub)
1title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
2id: 31d68132-4038-47c7-8f8e-635a39a7c174
3status: test
4description: Detects potential Active Directory enumeration via LDAP
5references:
6 - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
7 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
8 - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
9 - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
10 - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
11 - https://ipurple.team/2024/07/15/sharphound-detection/
12author: Adeem Mawani
13date: 2021-06-22
14modified: 2024-08-27
15tags:
16 - attack.discovery
17 - attack.t1069.002
18 - attack.t1087.002
19 - attack.t1482
20logsource:
21 product: windows
22 service: ldap
23 definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
24detection:
25 generic_search:
26 EventID: 30
27 SearchFilter|contains:
28 - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
29 - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
30 - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
31 - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
32 - '(sAMAccountType=805306369)'
33 - '(sAMAccountType=805306368)'
34 - '(sAMAccountType=536870913)'
35 - '(sAMAccountType=536870912)'
36 - '(sAMAccountType=268435457)'
37 - '(sAMAccountType=268435456)'
38 - '(objectCategory=groupPolicyContainer)'
39 - '(objectCategory=organizationalUnit)'
40 - '(objectCategory=Computer)'
41 - '(objectCategory=nTDSDSA)'
42 - '(objectCategory=server)'
43 - '(objectCategory=domain)'
44 - '(objectCategory=person)'
45 - '(objectCategory=group)'
46 - '(objectCategory=user)'
47 - '(objectClass=trustedDomain)'
48 - '(objectClass=computer)'
49 - '(objectClass=server)'
50 - '(objectClass=group)'
51 - '(objectClass=user)'
52 - '(primaryGroupID=521)'
53 - '(primaryGroupID=516)'
54 - '(primaryGroupID=515)'
55 - '(primaryGroupID=512)'
56 - 'Domain Admins'
57 - 'objectGUID=\*'
58 - '(schemaIDGUID=\*)'
59 - 'admincount=1'
60 distinguished_name_enumeration:
61 EventID: 30
62 SearchFilter: '(objectclass=\*)'
63 DistinguishedName|contains:
64 - 'CN=Domain Admins'
65 - 'CN=Enterprise Admins'
66 - 'CN=Group Policy Creator Owners'
67 suspicious_flag:
68 EventID: 30
69 SearchFilter|contains:
70 - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
71 - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
72 - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
73 - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
74 - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
75 - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
76 - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
77 - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
78 - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
79 - 'msDS-AllowedToDelegateTo'
80 - 'msDS-GroupManagedServiceAccount'
81 - '(accountExpires=9223372036854775807)'
82 - '(accountExpires=0)'
83 - '(adminCount=1)'
84 - 'ms-MCS-AdmPwd'
85 narrow_down_filter:
86 EventID: 30
87 SearchFilter|contains:
88 - '(domainSid=*)'
89 - '(objectSid=*)'
90 condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
91level: medium
References
Related rules
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock
- PUA - AdFind Suspicious Execution