Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
Sigma rule (View on GitHub)
1title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
2id: 31d68132-4038-47c7-8f8e-635a39a7c174
3status: test
4description: Detects potential Active Directory enumeration via LDAP
5references:
6 - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
7 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
8 - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
9 - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
10 - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
11author: Adeem Mawani
12date: 2021/06/22
13modified: 2023/11/03
14tags:
15 - attack.discovery
16 - attack.t1069.002
17 - attack.t1087.002
18 - attack.t1482
19logsource:
20 product: windows
21 service: ldap
22 definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
23detection:
24 generic_search:
25 EventID: 30
26 SearchFilter|contains:
27 - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
28 - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
29 - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
30 - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
31 - '(sAMAccountType=805306369)'
32 - '(sAMAccountType=805306368)'
33 - '(sAMAccountType=536870913)'
34 - '(sAMAccountType=536870912)'
35 - '(sAMAccountType=268435457)'
36 - '(sAMAccountType=268435456)'
37 - '(objectCategory=groupPolicyContainer)'
38 - '(objectCategory=organizationalUnit)'
39 - '(objectCategory=Computer)'
40 - '(objectCategory=nTDSDSA)'
41 - '(objectCategory=server)'
42 - '(objectCategory=domain)'
43 - '(objectCategory=person)'
44 - '(objectCategory=group)'
45 - '(objectCategory=user)'
46 - '(objectClass=trustedDomain)'
47 - '(objectClass=computer)'
48 - '(objectClass=server)'
49 - '(objectClass=group)'
50 - '(objectClass=user)'
51 - '(primaryGroupID=521)'
52 - '(primaryGroupID=516)'
53 - '(primaryGroupID=515)'
54 - '(primaryGroupID=512)'
55 - 'Domain Admins'
56 - 'objectGUID=\*'
57 - '(schemaIDGUID=\*)'
58 suspicious_flag:
59 EventID: 30
60 SearchFilter|contains:
61 - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
62 - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
63 - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
64 - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
65 - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
66 - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
67 - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
68 - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
69 - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
70 - 'msDS-AllowedToDelegateTo'
71 - 'msDS-GroupManagedServiceAccount'
72 - '(accountExpires=9223372036854775807)'
73 - '(accountExpires=0)'
74 - '(adminCount=1)'
75 - 'ms-MCS-AdmPwd'
76 narrow_down_filter:
77 EventID: 30
78 SearchFilter|contains:
79 - '(domainSid=*)'
80 - '(objectSid=*)'
81 condition: (generic_search and not narrow_down_filter) or suspicious_flag
82level: medium
References
-
Attackers are known to use LDAP to gather information about users, machines, and the domain structure. Attackers can then take over high-privileged accounts by..
Read More -
-
-
-
A Python based ingestor for BloodHound. Contribute to dirkjanm/BloodHound.py development by creating an account on GitHub.
Read More
Related rules
- HackTool - Bloodhound/Sharphound Execution
- Renamed AdFind Execution
- Reconnaissance Activity
- AD Privileged Users or Groups Reconnaissance
- Domain User Enumeration Network Recon 01