Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
LDAP Analytics |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Possible LDAP enumeration with a rare combination of queries.
Attacker's Goals
An adversary may utilize the LDAP protocol to gain information on the Active Directory environment and plan its lateral movement over the network.
Investigative actions
- Where possible, check the legitimacy of the process that executed these LDAP queries.
- Investigate the LDAP search query for any suspicious indicators.
- Determine whether the search query is generic, those search queries (often using wildcards) tend to be more suspicious.