This note documents detection patterns related to Active Directory Enumeration within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects AD enumeration binaries and scripts. |
| Sysmon | 1 | Process creation | Critical | Best execution source for AD recon tooling and lineage. |
| PowerShell | 4104 | Script block logging | Critical | Captures PowerView / AD cmdlets / LDAP scripts. |
| Security | 4662 | Object operation performed | High | Directory object access under auditing. |
| Sysmon | 3 | Network connection | High | LDAP / Kerberos / SMB to domain infrastructure. |
| Sysmon | 22 | DNS query | High | DC resolution before enumeration. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Burst of LDAP queries | Rapid AD object requests | Critical | Strong recon signal. |
| Domain trust discovery | nltest / trust queries | High | Common attacker step. |
| Group membership mapping | Admin groups / DA focus | Critical | Privilege targeting clue. |
| SPN / user enumeration | Service account focus | Critical | Often pre-Kerberoast. |
| PowerView usage | Rich scripted AD recon | Critical | Strong offensive indicator. |
| Workstation querying many DC objects | Unusual for user host | High | Valuable anomaly. |
Common Tools
| Tool | Usage |
|---|---|
| net.exe | Domain groups / users |
| nltest.exe | Trust / DC discovery |
| dsquery.exe | Directory object queries |
| dsget.exe | Attribute retrieval |
| PowerShell | AD module / PowerView |
| ldapsearch | Raw LDAP enumeration |
| SharpHound | Graph collection |
| adfind.exe | High-speed AD recon |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 3, 22
- Security Event ID 4662
- PowerShell 4104
- Prefetch:
NLTEST.EXENET.EXEDSQUERY.EXEADFIND.EXESHARPHOUND.EXE
- Amcache / ShimCache
- LDAP telemetry
- DC security logs
- EDR process lineage
MITRE ATT&CK References
- T1087.002 Domain Account Discovery
- T1482 Domain Trust Discovery
- T1069.002 Domain Groups
- T1018 Remote System Discovery
Decision Tree
-
Which AD recon tool executed?
- Native binary
- PowerShell
- SharpHound / AdFind
-
Which targets queried?
- Users
- Groups
- Trusts
- SPNs
-
Which host initiated?
- Admin host
- Workstation
- Server
-
Follow-up activity?
- Kerberoasting
- Lateral movement
- Privilege escalation
-
Expand:
- LDAP volume
- DC connections
- Additional recon
-
Scope:
- Single query
- Full graph collection
- Campaign-wide recon
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("nltest.exe","net.exe","dsquery.exe","adfind.exe","SharpHound.exe")
| project TimeGenerated, Computer, Account, CommandLine
PowerShell
| where EventID == 4104
| where ScriptBlockText has_any ("Get-ADUser","Get-ADGroup","PowerView","Get-Domain")
| project TimeGenerated, Computer, ScriptBlockText
EQL
process where process.name in ("nltest.exe","dsquery.exe","adfind.exe","SharpHound.exe")
sequence by host.name with maxspan=5m
[ process where process.name in ("SharpHound.exe","adfind.exe") ]
[ network where destination.port in (389,636,88) ]
Sigma
title: Active Directory Enumeration Detection
id: 7a4d1c92-ad-enum
status: experimental
description: Detects common Active Directory reconnaissance activity
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
NewProcessName|endswith:
- '\nltest.exe'
- '\dsquery.exe'
- '\adfind.exe'
- '\SharpHound.exe'
condition: selection
fields:
- NewProcessName
- CommandLine
falsepositives:
- Legitimate administration
level: medium
tags:
- attack.discovery
Sigma
index=main source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventID=1 earliest=1690447949 latest=1690450687 | search process_name IN (arp.exe,chcp.com,ipconfig.exe,net.exe,net1.exe,nltest.exe,ping.exe,systeminfo.exe,whoami.exe) OR (process_name IN (cmd.exe,powershell.exe) AND process IN (*arp*,*chcp*,*ipconfig*,*net*,*net1*,*nltest*,*ping*,*systeminfo*,*whoami*)) | stats values(process) as process, min(_time) as _time by parent_process, parent_process_id, dest, user | where mvcount(process) > 3
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Recon sequence monitoring | Alert on AD recon bursts | Critical | Strong early signal |
| LDAP visibility | Monitor unusual query volume | Critical | Core AD telemetry |
| PowerShell logging | Capture scripted recon | Critical | Essential for PowerView |
| Baseline admin tools | Know expected admin hosts | High | Reduce false positives |
| EDR sequence analytics | Detect graph collection | Critical | Better than single process alerts |