Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Detects potential Active Directory enumeration via LDAP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Adeem MawaniCreated Tue Jun 22Updated Fri Jul 0431d68132-4038-47c7-8f8e-635a39a7c174windows
Log Source
Windowsldap
ProductWindows← raw: windows
Serviceldap← raw: ldap

Definition

Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging

Detection Logic
Detection Logic4 selectors
detection:
    generic_search:
        EventID: 30
        SearchFilter|contains:
            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
            - '(sAMAccountType=805306369)'
            - '(sAMAccountType=805306368)'
            - '(sAMAccountType=536870913)'
            - '(sAMAccountType=536870912)'
            - '(sAMAccountType=268435457)'
            - '(sAMAccountType=268435456)'
            - '(objectCategory=groupPolicyContainer)'
            - '(objectCategory=organizationalUnit)'
            # - '(objectCategory=Computer)' Prone to false positives
            - '(objectCategory=nTDSDSA)'
            - '(objectCategory=server)'
            - '(objectCategory=domain)'
            - '(objectCategory=person)'
            - '(objectCategory=group)'
            - '(objectCategory=user)'
            - '(objectClass=trustedDomain)'
            - '(objectClass=computer)'
            - '(objectClass=server)'
            - '(objectClass=group)'
            - '(objectClass=user)'
            - '(primaryGroupID=521)'
            - '(primaryGroupID=516)'
            - '(primaryGroupID=515)'
            - '(primaryGroupID=512)'
            - 'Domain Admins'
            - 'objectGUID=\*'
            - '(schemaIDGUID=\*)'
            - 'admincount=1'
    distinguished_name_enumeration:
        EventID: 30
        SearchFilter: '(objectclass=\*)'
        DistinguishedName|contains:
            - 'CN=Domain Admins'
            - 'CN=Enterprise Admins'
            - 'CN=Group Policy Creator Owners'
    suspicious_flag:
        EventID: 30
        SearchFilter|contains:
            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
            - 'msDS-AllowedToDelegateTo'
            - 'msDS-GroupManagedServiceAccount'
            - '(accountExpires=9223372036854775807)'
            - '(accountExpires=0)'
            - '(adminCount=1)'
            - 'ms-MCS-AdmPwd'
    narrow_down_filter:
        EventID: 30
        SearchFilter|contains:
            - '(domainSid=*)'
            - '(objectSid=*)'
    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
References
1
Resolving title…
techcommunity.microsoft.com
2
Resolving title…
github.com
3
Resolving title…
github.com
4
Resolving title…
medium.com
5
Resolving title…
github.com
6
Resolving title…
ipurple.team
MITRE ATT&CK
Rule Metadata
Rule ID
31d68132-4038-47c7-8f8e-635a39a7c174
Status
test
Level
medium
Type
Detection
Created
Tue Jun 22
Modified
Fri Jul 04
Author
Adeem Mawani
Path
rules/windows/builtin/ldap/win_ldap_recon.yml
Raw Tags
attack.discoveryattack.t1069.002attack.t1087.002attack.t1482
View on GitHub