Possible LDAP Enumeration of Microsoft Configuration Manager

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-05-13

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags	LDAP Analytics (Client), LDAP Analytics (Server), Microsoft SCCM Analytics
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Account Discovery (T1087)
Severity	Informational

Description

A possible enumeration on Microsoft Configuration Manager via LDAP was performed. Such enumeration may be used during attacks against the organization.

Attacker's Goals

An attacker is attempting to enumerate Microsoft Configuration Manager.

Investigative actions

Check if the process executes LDAP search queries as part of its normal behavior.
Investigate the LDAP search query for any suspicious indicators.
Determine whether the search query is generic. Wide search queries (often using wildcards) tend to be more suspicious. In our case, we are looking for targeted search queries.
Looking for suspicious activity or logins to the Microsoft Configuration Manager site server.

Variations

Suspicious enumeration on Microsoft Configuration Manager via LDAP