detection.wiki

Detection rules › Sigma

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Severity
medium
Author
Adeem Mawani
Source
upstream

Detects potential Active Directory enumeration via LDAP

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1069.002 Permission Groups Discovery: Domain Groups, T1087.002 Account Discovery: Domain Account, T1482 Domain Trust Discovery

Event coverage

ProviderEvent IDTitle
LDAP-Client30

Stages and Predicates

Stage 1: generic_search

or:
SearchFilter|contains: '(groupType:1.2.840.113556.1.4.803:=2147483648)'
SearchFilter|contains: '(groupType:1.2.840.113556.1.4.803:=2147483650)'
SearchFilter|contains: '(groupType:1.2.840.113556.1.4.803:=2147483652)'
SearchFilter|contains: '(groupType:1.2.840.113556.1.4.803:=2147483656)'
SearchFilter|contains: '(objectCategory=domain)'
SearchFilter|contains: '(objectCategory=group)'
SearchFilter|contains: '(objectCategory=groupPolicyContainer)'
SearchFilter|contains: '(objectCategory=nTDSDSA)'
SearchFilter|contains: '(objectCategory=organizationalUnit)'
SearchFilter|contains: '(objectCategory=person)'
SearchFilter|contains: '(objectCategory=server)'
SearchFilter|contains: '(objectCategory=user)'
SearchFilter|contains: '(objectClass=computer)'
SearchFilter|contains: '(objectClass=group)'
SearchFilter|contains: '(objectClass=server)'
SearchFilter|contains: '(objectClass=trustedDomain)'
SearchFilter|contains: '(objectClass=user)'
SearchFilter|contains: '(primaryGroupID=512)'
SearchFilter|contains: '(primaryGroupID=515)'
SearchFilter|contains: '(primaryGroupID=516)'
SearchFilter|contains: '(primaryGroupID=521)'
SearchFilter|contains: '(sAMAccountType=268435456)'
SearchFilter|contains: '(sAMAccountType=268435457)'
SearchFilter|contains: '(sAMAccountType=536870912)'
SearchFilter|contains: '(sAMAccountType=536870913)'
SearchFilter|contains: '(sAMAccountType=805306368)'
SearchFilter|contains: '(sAMAccountType=805306369)'
SearchFilter|contains: '(schemaIDGUID=\*)'
SearchFilter|contains: 'Domain Admins'
SearchFilter|contains: 'admincount=1'
SearchFilter|contains: 'objectGUID=\*'

Stage 2: not narrow_down_filter

or:
SearchFilter|contains: '(domainSid=*)'
SearchFilter|contains: '(objectSid=*)'

Stage 3: suspicious_flag

or:
SearchFilter|contains: '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
SearchFilter|contains: '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
SearchFilter|contains: '(accountExpires=0)'
SearchFilter|contains: '(accountExpires=9223372036854775807)'
SearchFilter|contains: '(adminCount=1)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=544)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
SearchFilter|contains: '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
SearchFilter|contains: ms-MCS-AdmPwd
SearchFilter|contains: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
SearchFilter|contains: msDS-AllowedToDelegateTo
SearchFilter|contains: msDS-GroupManagedServiceAccount

Stage 4: distinguished_name_enumeration

or:
DistinguishedName|contains: 'CN=Domain Admins'
DistinguishedName|contains: 'CN=Enterprise Admins'
DistinguishedName|contains: 'CN=Group Policy Creator Owners'
SearchFilter: '(objectclass=\*)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
DistinguishedNamematch
  • CN=Domain Admins
  • CN=Enterprise Admins
  • CN=Group Policy Creator Owners
SearchFiltereq
  • (objectclass=\*)
SearchFiltermatch
  • !(UserAccountControl:1.2.840.113556.1.4.803:=2)
  • !(userAccountControl:1.2.840.113556.1.4.803:=1048574)
  • (accountExpires=0)
  • (accountExpires=9223372036854775807)
  • (adminCount=1)
  • (domainSid=*)
  • (groupType:1.2.840.113556.1.4.803:=2147483648)
  • (groupType:1.2.840.113556.1.4.803:=2147483650)
  • (groupType:1.2.840.113556.1.4.803:=2147483652)
  • (groupType:1.2.840.113556.1.4.803:=2147483656)
  • (objectCategory=domain)
  • (objectCategory=group)
  • (objectCategory=groupPolicyContainer)
  • (objectCategory=nTDSDSA)
  • (objectCategory=organizationalUnit)
  • (objectCategory=person)
  • (objectCategory=server)
  • (objectCategory=user)
  • (objectClass=computer)
  • (objectClass=group)
  • (objectClass=server)
  • (objectClass=trustedDomain)
  • (objectClass=user)
  • (objectSid=*)
  • (primaryGroupID=512)
  • (primaryGroupID=515)
  • (primaryGroupID=516)
  • (primaryGroupID=521)
  • (sAMAccountType=268435456)
  • (sAMAccountType=268435457)
  • (sAMAccountType=536870912)
  • (sAMAccountType=536870913)
  • (sAMAccountType=805306368)
  • (sAMAccountType=805306369)
  • (schemaIDGUID=\*)
  • (userAccountControl:1.2.840.113556.1.4.803:=2097152)
  • (userAccountControl:1.2.840.113556.1.4.803:=4194304)
  • (userAccountControl:1.2.840.113556.1.4.803:=524288)
  • (userAccountControl:1.2.840.113556.1.4.803:=544)
  • (userAccountControl:1.2.840.113556.1.4.803:=65536)
  • (userAccountControl:1.2.840.113556.1.4.803:=8192)
  • Domain Admins
  • admincount=1
  • ms-MCS-AdmPwd
  • msDS-AllowedToActOnBehalfOfOtherIdentity
  • msDS-AllowedToDelegateTo
  • msDS-GroupManagedServiceAccount
  • objectGUID=\*