Microsoft-Windows-LDAP-Client
31 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | task_0 | Debug | N |
| 2 | task_02 | Debug | N |
| 3 | task_03 | Debug | N |
| 4 | task_04 | Debug | N |
| 5 | task_05 | Debug | N |
| 6 | task_06 | Debug | N |
| 7 | task_07 | Debug | N |
| 8 | task_08 | Debug | N |
| 9 | task_09 | Debug | N |
| 10 | task_010 | Debug | N |
| 11 | task_011 | Debug | N |
| 12 | task_012 | Debug | N |
| 13 | task_013 | Debug | N |
| 14 | task_014 | Debug | N |
| 15 | task_015 | Debug | N |
| 16 | task_016 | Debug | N |
| 17 | task_017 | Debug | N |
| 18 | task_018 | Debug | N |
| 19 | task_019 | Debug | N |
| 20 | task_020 | Debug | N |
| 21 | task_021 | Debug | N |
| 22 | task_022 | Debug | N |
| 23 | task_023 | Debug | N |
| 24 | task_024 | Debug | N |
| 25 | task_025 | Debug | N |
| 26 | task_026 | Debug | N |
| 27 | task_027 | Debug | N |
| 28 | task_028 | Debug | N |
| 29 | task_029 | Debug | N |
| 30 | LDAP search request | Debug | Y |
| 31 | task_031 | Debug | N |
Event ID 30: LDAP search request
#Description
Emitted by wldap32.dll when an LDAP search is submitted to the server. Captures the search filter, base DN, scope, and requested attributes as supplied by the client process. Fires for every ldap_search call including rootDSE probes and paged searches. Verified by live ETW capture on Win11 26200 (2026-06-05).
Fields #
| Name | Description | Rules |
|---|---|---|
ScopeOfSearch UInt32 | LDAP search scope: 0 = base (root object only), 1 = one-level, 2 = subtree | |
SearchFilter UnicodeString | LDAP search filter string (RFC 4515 syntax), e.g. (objectClass=user) | 49 detection rules |
DistinguishedName UnicodeString | Base distinguished name for the search; empty string indicates rootDSE | 3 detection rules |
AttributeList UnicodeString | Requested attribute names, semicolon-separated; empty requests all non-operational attributes | |
ProcessId HexInt32 | Hex PID of the process initiating the LDAP search |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-LDAP-Client",
"guid": "{099614a5-5dd7-4788-8bc9-e29f43db28fc}",
"event_source_name": "",
"event_id": "30",
"version": "0",
"level": "0",
"task": "0",
"opcode": "0",
"keywords": -9223372036854775807,
"time_created": "2026-06-05T07:31:06.778512400+00:00",
"event_record_id": 16,
"correlation": {
"ActivityID": "{ae3adfdf-f2b5-0000-41b2-43aeb5f2dc01}"
},
"execution": {
"process_id": "4580",
"thread_id": "6584"
},
"channel": "Microsoft-Windows-LDAP-Client/Debug",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"ScopeOfSearch": "2",
"SearchFilter": "(objectClass=user)",
"DistinguishedName": "DC=ludus,DC=domain",
"AttributeList": "",
"ProcessId": "0x11E4"
},
"message": ""
}
Detection Patterns #
Discovery: Domain Account
1 rule
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 099614a5-5dd7-4788-8bc9-e29f43db28fc
Defined in wldap32.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02