Potential Active Directory Reconnaissance/Enumeration Via LDAP

 1title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
 2id: 31d68132-4038-47c7-8f8e-635a39a7c174
 3status: test
 4description: Detects potential Active Directory enumeration via LDAP
 5references:
 6    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
 7    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
 8    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
 9    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
10    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
11author: Adeem Mawani
12date: 2021/06/22
13modified: 2023/11/03
14tags:
15    - attack.discovery
16    - attack.t1069.002
17    - attack.t1087.002
18    - attack.t1482
19logsource:
20    product: windows
21    service: ldap
22    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
23detection:
24    generic_search:
25        EventID: 30
26        SearchFilter|contains:
27            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
28            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
29            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
30            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
31            - '(sAMAccountType=805306369)'
32            - '(sAMAccountType=805306368)'
33            - '(sAMAccountType=536870913)'
34            - '(sAMAccountType=536870912)'
35            - '(sAMAccountType=268435457)'
36            - '(sAMAccountType=268435456)'
37            - '(objectCategory=groupPolicyContainer)'
38            - '(objectCategory=organizationalUnit)'
39            - '(objectCategory=Computer)'
40            - '(objectCategory=nTDSDSA)'
41            - '(objectCategory=server)'
42            - '(objectCategory=domain)'
43            - '(objectCategory=person)'
44            - '(objectCategory=group)'
45            - '(objectCategory=user)'
46            - '(objectClass=trustedDomain)'
47            - '(objectClass=computer)'
48            - '(objectClass=server)'
49            - '(objectClass=group)'
50            - '(objectClass=user)'
51            - '(primaryGroupID=521)'
52            - '(primaryGroupID=516)'
53            - '(primaryGroupID=515)'
54            - '(primaryGroupID=512)'
55            - 'Domain Admins'
56            - 'objectGUID=\*'
57            - '(schemaIDGUID=\*)'
58    suspicious_flag:
59        EventID: 30
60        SearchFilter|contains:
61            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
62            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
63            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
64            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
65            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
66            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
67            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
68            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
69            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
70            - 'msDS-AllowedToDelegateTo'
71            - 'msDS-GroupManagedServiceAccount'
72            - '(accountExpires=9223372036854775807)'
73            - '(accountExpires=0)'
74            - '(adminCount=1)'
75            - 'ms-MCS-AdmPwd'
76    narrow_down_filter:
77        EventID: 30
78        SearchFilter|contains:
79            - '(domainSid=*)'
80            - '(objectSid=*)'
81    condition: (generic_search and not narrow_down_filter) or suspicious_flag
82level: medium