This note documents detection patterns related to LDAP Enumeration within Active Directory environments.
Direct Indicators
| Log Source | Event ID / Provider | Meaning | Forensic Value | Notes |
|---|
| Security | 4662 | An operation was performed on an object | High | LDAP reads against AD objects can generate this when Directory Service Access auditing is enabled. Critical fields: ObjectName, ObjectType, AccessMask, SubjectUserName. Excellent for detecting targeted AD reconnaissance. |
| Security | 4624 | Successful logon | Medium | LDAP enumeration usually follows domain authentication. Correlate LogonType 3 / 9, Source IP, Logon ID with later LDAP activity. |
| Security | 4648 | Explicit credentials used | Medium | Often appears when tools authenticate using alternate credentials before LDAP binds (e.g. runas, SharpHound alternate creds). |
| Security | 4768 | Kerberos TGT request | Low-Medium | Initial domain authentication preceding LDAP enumeration. Useful when enumeration originates from non-interactive service or remote host. |
| Security | 4769 | Kerberos service ticket request | Medium | LDAP enumeration against DC may request LDAP/DC SPN tickets (ldap/DC.domain.local). Stronger indicator than 4768 when correlated. |
| Sysmon | 3 | Network connection | High | Detect outbound LDAP / LDAPS to DCs (389 / 636 / 3268 / 3269). Strong process attribution via Image, DestinationIp, DestinationPort. |
| Sysmon | 1 | Process creation | High | Detect execution of tools like SharpHound, PowerView, ldapsearch, dsquery, AdFind.exe. Parent-child chain often highly revealing. |
| Sysmon | 7 | Image loaded | Medium | Useful when suspicious .NET assemblies load LDAP-related libraries (System.DirectoryServices.dll, wldap32.dll). Helps identify in-memory tooling. |
| Sysmon | 10 | Process access | Medium | May reveal post-enumeration escalation activity if enumeration leads into token theft / LSASS access. |
| Directory Service Log | 1644 | Expensive / inefficient LDAP query | Very High | Powerful DC-side detection for enumeration. Captures LDAP filter, client IP, scope, returned objects. Requires diagnostic LDAP logging enabled. Extremely valuable for SharpHound-style collection detection. |
| ETW | Microsoft-Windows-LDAP-Client | LDAP client API activity | Very High | Captures client-side LDAP operations even when Security logs are absent. Includes bind attempts, search filters, server target, query patterns. Excellent for stealthy enumeration detection. |
| ETW | Microsoft-Windows-ActiveDirectory_DomainService | Domain service internal LDAP processing | High | Can expose query execution patterns inside DC internals. Useful in deep DFIR or high-fidelity lab captures. |
| PowerShell | 4104 | Script block logging | Very High | Detects LDAP enumeration done through PowerShell (Get-ADUser, PowerView, ADSI queries). Full script content often exposes exact filters used. |
| PowerShell | 4103 | Module logging | High | Captures AD cmdlets and imported modules used for enumeration. |
| Defender / EDR | Sensor-specific | LDAP hunt telemetry | Very High | Modern EDR often surfaces LDAP query bursts, unusual object counts, or BloodHound-like patterns even without native logs. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Large volume LDAP queries | High number of directory searches in short timeframe | High | Typical behavior of automated enumeration tools. |
| Enumeration of sensitive attributes | Queries targeting admin accounts, SPNs, delegation attributes | Critical | Often preparatory step for attacks such as Kerberoasting or delegation abuse. |
| LDAP traffic from user workstation | LDAP enumeration originating from non-admin machine | High | Suspicious reconnaissance activity. |
| Sequential object discovery | Enumeration of users, groups, computers, and ACLs | Medium | Typical attack path mapping behavior. |
| Execution of BloodHound collectors | Processes associated with SharpHound or BloodHound | Critical | Direct evidence of AD reconnaissance. |
Common Tools
| Tool | Usage |
|---|
| SharpHound | Collects Active Directory relationships for BloodHound analysis. |
| PowerView | Performs LDAP queries to enumerate users, groups, computers, and permissions. |
| ldapsearch | Standard LDAP query tool used for enumeration. |
| CrackMapExec | Enumerates domain objects and shares. |
| ADExplorer | GUI tool capable of dumping directory objects. |
Relevant Artifacts
- Domain controller Security logs (4662)
- LDAP query telemetry
- Network traffic logs (LDAP connections)
- Sysmon logs (1, 3)
- EDR telemetry identifying enumeration tools
- Prefetch artifacts for SharpHound, PowerView, ldapsearch
- Authentication logs preceding enumeration
- BloodHound collection artifacts on attacker host
MITRE ATT&CK References
- T1087 Account Discovery
- T1069 Permission Groups Discovery
- T1018 Remote System Discovery
- T1482 Domain Trust Discovery
Decision Tree
- Is the suspicious event present?
- Identify high volume LDAP queries or enumeration activity.
- What host generated the event?
- Determine workstation performing LDAP enumeration.
- Is the account expected to perform this action?
- Investigate whether account normally performs directory queries.
- Pivot:
- Source host → inspect execution of SharpHound or PowerView.
- Account → review privilege level and access patterns.
- Network → analyze LDAP traffic patterns and query volume.
- Confirm exploitation
- Determine whether attacker performed reconnaissance to map AD attack paths.
Example Detection Templates
Hunting for reconnaissance activities using LDAP search filters | Microsoft Community Hub
KQL
SecurityEvent
| where EventID == 4662
| summarize count() by SubjectUserName, bin(TimeGenerated, 5m)
DeviceNetworkEvents
| where RemotePort in (389,636)
| summarize count() by InitiatingProcessAccountName, RemoteIP, bin(TimeGenerated,5m)
EQL
any where event.code == "4662"
Sigma
title: Suspicious LDAP Enumeration Activity
id: ldap-enumeration-detection
status: experimental
description: Detects high volume LDAP queries which may indicate Active Directory reconnaissance
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
condition: selection
fields:
- SubjectUserName
- ObjectName
falsepositives:
- Legitimate directory synchronization tools
level: medium
tags:
- attack.discovery
- attack.t1087
Splunk
index=* EventCode=4662
| bin _time span=5m
| stats count by SubjectUserName, _time
| where count > 50
| sort - count
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Monitoring | Alert on high volume LDAP queries | High | Detects reconnaissance activity. |
| Network controls | Restrict LDAP queries from non-admin systems | High | Reduces reconnaissance surface. |
| EDR monitoring | Detect SharpHound and PowerView execution | Critical | Direct detection of enumeration tooling. |
| Least privilege | Limit directory read permissions where possible | Medium | Reduces exposure of sensitive objects. |
| Threat hunting | Regularly review LDAP query patterns | Medium | Identifies abnormal discovery behavior. |
