detection.wiki

Detection rules › Sigma

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Status
test
Severity
medium
Log source
product windows, service ldap
Author
Adeem Mawani
Source
github.com/SigmaHQ/sigma

Detects potential Active Directory enumeration via LDAP

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1069.002 Permission Groups Discovery: Domain Groups, T1087.002 Account Discovery: Domain Account, T1482 Domain Trust Discovery

Event coverage

ProviderEventTitle
LDAP-ClientEvent ID 30LDAP search request

Rule body yaml

title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
    - https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
    - attack.discovery
    - attack.t1069.002
    - attack.t1087.002
    - attack.t1482
logsource:
    product: windows
    service: ldap
    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
    generic_search:
        EventID: 30
        SearchFilter|contains:
            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
            - '(sAMAccountType=805306369)'
            - '(sAMAccountType=805306368)'
            - '(sAMAccountType=536870913)'
            - '(sAMAccountType=536870912)'
            - '(sAMAccountType=268435457)'
            - '(sAMAccountType=268435456)'
            - '(objectCategory=groupPolicyContainer)'
            - '(objectCategory=organizationalUnit)'
            # - '(objectCategory=Computer)' Prone to false positives
            - '(objectCategory=nTDSDSA)'
            - '(objectCategory=server)'
            - '(objectCategory=domain)'
            - '(objectCategory=person)'
            - '(objectCategory=group)'
            - '(objectCategory=user)'
            - '(objectClass=trustedDomain)'
            - '(objectClass=computer)'
            - '(objectClass=server)'
            - '(objectClass=group)'
            - '(objectClass=user)'
            - '(primaryGroupID=521)'
            - '(primaryGroupID=516)'
            - '(primaryGroupID=515)'
            - '(primaryGroupID=512)'
            - 'Domain Admins'
            - 'objectGUID=\*'
            - '(schemaIDGUID=\*)'
            - 'admincount=1'
    distinguished_name_enumeration:
        EventID: 30
        SearchFilter: '(objectclass=\*)'
        DistinguishedName|contains:
            - 'CN=Domain Admins'
            - 'CN=Enterprise Admins'
            - 'CN=Group Policy Creator Owners'
    suspicious_flag:
        EventID: 30
        SearchFilter|contains:
            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
            - 'msDS-AllowedToDelegateTo'
            - 'msDS-GroupManagedServiceAccount'
            - '(accountExpires=9223372036854775807)'
            - '(accountExpires=0)'
            - '(adminCount=1)'
            - 'ms-MCS-AdmPwd'
    narrow_down_filter:
        EventID: 30
        SearchFilter|contains:
            - '(domainSid=*)'
            - '(objectSid=*)'
    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium

Stages and Predicates

Stage 0: condition

(generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration

Stage 1: generic_search

generic_search:
    EventID: 30
    SearchFilter|contains:
        - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
        - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
        - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
        - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
        - '(sAMAccountType=805306369)'
        - '(sAMAccountType=805306368)'
        - '(sAMAccountType=536870913)'
        - '(sAMAccountType=536870912)'
        - '(sAMAccountType=268435457)'
        - '(sAMAccountType=268435456)'
        - '(objectCategory=groupPolicyContainer)'
        - '(objectCategory=organizationalUnit)'
        - '(objectCategory=nTDSDSA)'
        - '(objectCategory=server)'
        - '(objectCategory=domain)'
        - '(objectCategory=person)'
        - '(objectCategory=group)'
        - '(objectCategory=user)'
        - '(objectClass=trustedDomain)'
        - '(objectClass=computer)'
        - '(objectClass=server)'
        - '(objectClass=group)'
        - '(objectClass=user)'
        - '(primaryGroupID=521)'
        - '(primaryGroupID=516)'
        - '(primaryGroupID=515)'
        - '(primaryGroupID=512)'
        - 'Domain Admins'
        - 'objectGUID=\*'
        - '(schemaIDGUID=\*)'
        - 'admincount=1'

Stage 2: not narrow_down_filter

narrow_down_filter:
    EventID: 30
    SearchFilter|contains:
        - '(domainSid=*)'
        - '(objectSid=*)'

Stage 3: suspicious_flag

suspicious_flag:
    EventID: 30
    SearchFilter|contains:
        - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
        - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
        - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
        - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
        - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
        - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
        - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
        - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
        - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
        - 'msDS-AllowedToDelegateTo'
        - 'msDS-GroupManagedServiceAccount'
        - '(accountExpires=9223372036854775807)'
        - '(accountExpires=0)'
        - '(adminCount=1)'
        - 'ms-MCS-AdmPwd'

Stage 4: distinguished_name_enumeration

distinguished_name_enumeration:
    EventID: 30
    SearchFilter: '(objectclass=\*)'
    DistinguishedName|contains:
        - 'CN=Domain Admins'
        - 'CN=Enterprise Admins'
        - 'CN=Group Policy Creator Owners'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
SearchFiltermatch(domainSid=*)
SearchFiltermatch(objectSid=*)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
DistinguishedNamematch
  • CN=Domain Admins
  • CN=Enterprise Admins
  • CN=Group Policy Creator Owners
SearchFiltereq
  • (objectclass=\*)
SearchFiltermatch
  • !(UserAccountControl:1.2.840.113556.1.4.803:=2)
  • !(userAccountControl:1.2.840.113556.1.4.803:=1048574)
  • (accountExpires=0)
  • (accountExpires=9223372036854775807)
  • (adminCount=1)
  • (groupType:1.2.840.113556.1.4.803:=2147483648)
  • (groupType:1.2.840.113556.1.4.803:=2147483650)
  • (groupType:1.2.840.113556.1.4.803:=2147483652)
  • (groupType:1.2.840.113556.1.4.803:=2147483656)
  • (objectCategory=domain)
  • (objectCategory=group)
  • (objectCategory=groupPolicyContainer)
  • (objectCategory=nTDSDSA)
  • (objectCategory=organizationalUnit)
  • (objectCategory=person)
  • (objectCategory=server)
  • (objectCategory=user)
  • (objectClass=computer)
  • (objectClass=group)
  • (objectClass=server)
  • (objectClass=trustedDomain)
  • (objectClass=user)
  • (primaryGroupID=512)
  • (primaryGroupID=515)
  • (primaryGroupID=516)
  • (primaryGroupID=521)
  • (sAMAccountType=268435456)
  • (sAMAccountType=268435457)
  • (sAMAccountType=536870912)
  • (sAMAccountType=536870913)
  • (sAMAccountType=805306368)
  • (sAMAccountType=805306369)
  • (schemaIDGUID=\*)
  • (userAccountControl:1.2.840.113556.1.4.803:=2097152)
  • (userAccountControl:1.2.840.113556.1.4.803:=4194304)
  • (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • (userAccountControl:1.2.840.113556.1.4.803:=544)
  • (userAccountControl:1.2.840.113556.1.4.803:=65536)
  • (userAccountControl:1.2.840.113556.1.4.803:=8192)
  • Domain Admins
  • admincount=1
  • ms-MCS-AdmPwd
  • msDS-AllowedToActOnBehalfOfOtherIdentity
  • msDS-AllowedToDelegateTo
  • msDS-GroupManagedServiceAccount
  • objectGUID=\*