Adversaries may perform multiple sensitive LDAP queries to enumerate user accounts or sensitive objects in Active Directory, which could indicate credential stuffing or reconnaissance efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise or lateral movement attempts early.
KQL Query
let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]";
let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304";
let ASREP_ROASTING1 = "userAccountControl|4194304";
let ASREP_ROASTING2 = "userAccountControl&4194304";
let KERBEROASTING = "serviceprincipalname=*";
let Thershold = 10;
let BinTime = 1m;
let SensitiveQueries = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1");
let Roasting = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SearchFilter contains ASREP_ROASTING or
SearchFilter contains ASREP_ROASTING1 or
SearchFilter contains ASREP_ROASTING2 or
SearchFilter contains KERBEROASTING);
union SensitiveQueries, Roasting
| summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Thershold
id: 36582cd7-ddd2-43bc-be79-293a61c42cbe
name: MultipleSensitiveLdaps
description: |
// Detect multiple sensitive Active Directory LDAP queries made in bin time
// Sensitive queries defined as Roasting or sensitive objects queries
// Replace 10 on line 6 with your desired thershold
// Replace 1m on line 7 with your desired bin time
// This LDAP query cover Rubeus, Kerberoast, BloodHound tools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
query: |
let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]";
let ASREP_ROASTING = "userAccountControl:1.2.840.113556.1.4.803:=4194304";
let ASREP_ROASTING1 = "userAccountControl|4194304";
let ASREP_ROASTING2 = "userAccountControl&4194304";
let KERBEROASTING = "serviceprincipalname=*";
let Thershold = 10;
let BinTime = 1m;
let SensitiveQueries = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1");
let Roasting = (
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SearchFilter contains ASREP_ROASTING or
SearchFilter contains ASREP_ROASTING1 or
SearchFilter contains ASREP_ROASTING2 or
SearchFilter contains KERBEROASTING);
union SensitiveQueries, Roasting
| summarize NumberOfLdapQueries = count(), NumberOfDistinctLdapQueries = dcount(SearchFilter) by DeviceName, bin(Timestamp, BinTime)
| where NumberOfDistinctLdapQueries > Thershold
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: Scheduled LDAP Queries for User Synchronization
Description: A scheduled job using Microsoft Identity Manager (MIM) or Azure AD Connect performs regular LDAP queries to synchronize user data between on-premises Active Directory and cloud services.
Filter/Exclusion: Exclude queries originating from known synchronization tools (e.g., msol or adconnect) or IP addresses associated with the synchronization server.
Scenario: Admin Task – Exporting User Reports
Description: An administrator uses PowerShell or LDIFDE to export user reports, which may involve querying multiple sensitive LDAP attributes.
Filter/Exclusion: Exclude queries executed from administrative PowerShell scripts or from known admin workstations using IP-based filtering.
Scenario: LDAP Query for Group Membership in Security Tools
Description: A SIEM tool (e.g., Splunk or IBM QRadar) or endpoint detection and response (EDR) tool performs LDAP queries to validate group memberships for access control.
Filter/Exclusion: Exclude queries made by known security tools or from specific service accounts used by security platforms.
Scenario: LDAP Query for Password Policy Compliance
Description: A password policy enforcement tool or compliance audit tool queries LDAP to check password expiration or policy compliance across users.
Filter/Exclusion: Exclude queries made by known compliance tools or from specific service accounts used for policy enforcement.
Scenario: LDAP Query for User Account Lockout Monitoring
Description: A monitoring tool or SIEM integration queries LDAP to detect user account lockouts, which may involve multiple sensitive LDAP queries.
Filter/Exclusion: Exclude queries made by monitoring tools or from specific monitoring service accounts.