Suspicious Access to LDAP Attributes

Last updated 9 days ago on 2025-01-22

Created 2 years ago on 2023-01-29

About

Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: DiscoveryData Source: SystemData Source: Active DirectoryData Source: WindowsLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Permission Groups Discovery (T1069)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-system.security*logs-windows.forwarded*

Related Integrations

windows(opens in a new tab or window)

system(opens in a new tab or window)

Query

any where event.code == "4662" and not winlog.event_data.SubjectUserSid : "S-1-5-18" and
 winlog.event_data.AccessMaskDescription == "Read Property" and length(winlog.event_data.Properties) >= 2000

Install detection rules in Elastic Security

Detect Suspicious Access to LDAP Attributes in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).