Adversaries may use LDAP queries to search for users with specific comments or descriptions to identify potential targets or credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect reconnaissance efforts and potential credential harvesting attempts.
KQL Query
let PersonObject = "objectCategory=person";
let UserClass = "objectClass=user";
let SamAccountUser = "samAccountType=805306368";
let Description = "description=*pass*";
let Comment = "comment=*pass*";
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where (SearchFilter contains Description or SearchFilter contains Comment) and
(SearchFilter contains PersonObject or SearchFilter contains UserClass or SearchFilter contains SamAccountUser)
id: ba3da496-7559-4288-834e-8de26a90eb6e
name: PasswordSearch
description: |
Detect Active Directory LDAP queries that search for users with comment or description that contains the string "pass" that might suggest for the user password
This LDAP query cover MetaSploit - enum_ad_user_comments tool
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
query: |
let PersonObject = "objectCategory=person";
let UserClass = "objectClass=user";
let SamAccountUser = "samAccountType=805306368";
let Description = "description=*pass*";
let Comment = "comment=*pass*";
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where (SearchFilter contains Description or SearchFilter contains Comment) and
(SearchFilter contains PersonObject or SearchFilter contains UserClass or SearchFilter contains SamAccountUser)
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: User Account Description Update via PowerShell
Description: An administrator updates user account descriptions using PowerShell scripts, which may include the string $$ in the description for documentation purposes.
Filter/Exclusion: Exclude LDAP queries originating from PowerShell scripts executed by users with the UserAccountControl flag set to Administrator or Domain Admins.
Scenario: Scheduled Job for User Cleanup
Description: A scheduled job runs via Task Scheduler to clean up inactive users, and during this process, it updates user descriptions with the string $$ as a placeholder.
Filter/Exclusion: Exclude LDAP queries initiated by Task Scheduler jobs with the name UserCleanupJob or any job associated with the System or Local Service account.
Scenario: Active Directory Replication via Replication Manager
Description: The AD Replication Manager tool is used to synchronize user attributes across domain controllers, and during replication, it may include the string $$ in user descriptions.
Filter/Exclusion: Exclude LDAP queries originating from the Replication Manager service or any query with the source DC name in the sourceDNSName attribute.
Scenario: User Export to CSV via PowerShell
Description: A script exports user data to a CSV file using PowerShell, and the exported file includes the string $$ in the description field for formatting.
Filter/Exclusion: Exclude LDAP queries initiated by PowerShell scripts that match the file path C:\Scripts\Export-ADUsers.ps1 or any script run by the Domain Admins group.
Scenario: User Comment Update via ADSI Edit
Description: An administrator manually updates user comments using ADSI Edit, and the comment field contains the string $$ for internal reference.
Filter/Exclusion: Exclude LDAP queries made via ADSI Edit