Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
LDAP Analytics (Server) |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user executed multiple LDAP enumeration queries.
Attacker's Goals
An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
Investigative actions
- Where possible, check the legitimacy of the process that executed these LDAP queries.
- Investigate the LDAP search query for any suspicious indicators.
- Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.