Merge PR #4985 from @secDre4mer - Update `Potential Active Directory …

…Reconnaissance/Enumeration Via LDAP` update: Potential Active Directory Reconnaissance/Enumeration Via LDAP - add enumeration of distinguished names
SigmaHQ · Aug 27, 2024 · 5550ccd · 5550ccd
1 parent 5c4f599
commit 5550ccd
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -8,9 +8,10 @@ references:
     - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
     - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
     - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
+    - https://ipurple.team/2024/07/15/sharphound-detection/
 author: Adeem Mawani
 date: 2021-06-22
-modified: 2023-11-03
+modified: 2024-08-27
 tags:
     - attack.discovery
     - attack.t1069.002
@@ -55,6 +56,14 @@ detection:
             - 'Domain Admins'
             - 'objectGUID=\*'
             - '(schemaIDGUID=\*)'
+            - 'admincount=1'
+    distinguished_name_enumeration:
+        EventID: 30
+        SearchFilter: '(objectclass=\*)'
+        DistinguishedName|contains:
+            - 'CN=Domain Admins'
+            - 'CN=Enterprise Admins'
+            - 'CN=Group Policy Creator Owners'
     suspicious_flag:
         EventID: 30
         SearchFilter|contains:
@@ -78,5 +87,5 @@ detection:
         SearchFilter|contains:
             - '(domainSid=*)'
             - '(objectSid=*)'
-    condition: (generic_search and not narrow_down_filter) or suspicious_flag
+    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
 level: medium