Rules Contributing to BloodHound Enumeration Activity

The following rules are used to identify potential domain enumeration activity from BloodHound or other Active Directory data collection tools. Any one or more of these will trigger the BloodHound Enumeration Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

BloodHound Enumeration Activity

Detects unusual LDAP search requests, which can be potential domain enumeration activity from BloodHound or other Active Directory data collection tools.

Rule ID

network_security_14

Query

{'selection_search': {'metadata|contains': ["'message_type': 3"]}, 'selection_generic': {'metadata|contains': ['(grouptype:1.2.840.113556.1.4.803:=2147483648)', '(grouptype:1.2.840.113556.1.4.803:=2147483656)', '(grouptype:1.2.840.113556.1.4.803:=2147483652)', '(grouptype:1.2.840.113556.1.4.803:=2147483650)', '(samaccounttype=805306369)', '(samaccounttype=805306368)', '(samaccounttype=536870913)', '(samaccounttype=536870912)', '(samaccounttype=268435457)', '(samaccounttype=268435456)', '(objectcategory=grouppolicycontainer)', '(objectcategory=organizationalunit)', '(objectcategory=computer)', '(objectcategory=ntdsdsa)', '(objectcategory=server)', '(objectcategory=domain)', '(objectcategory=person)', '(objectcategory=group)', '(objectcategory=user)', '(objectclass=trusteddomain)', '(objectclass=computer)', '(objectclass=server)', '(objectclass=group)', '(objectclass=user)', '(primarygroupid=521)', '(primarygroupid=516)', '(primarygroupid=515)', '(primarygroupid=512)', 'objectguid=', '(schemaidguid=']}, 'selection_dn_enum': {'metadata|contains': ['cn=domain admins', 'cn=enterprise admins', 'cn=group policy creator owners']}, 'selection_allobject': {'metadata|contains': ["'filter': '(objectclass=*)'"]}, 'selection_suspicious': {'metadata|contains': ['(useraccountcontrol:1.2.840.113556.1.4.803:=4194304)', '(useraccountcontrol:1.2.840.113556.1.4.803:=2097152)', '!(useraccountcontrol:1.2.840.113556.1.4.803:=1048574)', '(useraccountcontrol:1.2.840.113556.1.4.803:=524288)', '(useraccountcontrol:1.2.840.113556.1.4.803:=65536)', '(useraccountcontrol:1.2.840.113556.1.4.803:=8192)', '(useraccountcontrol:1.2.840.113556.1.4.803:=544)', '!(useraccountcontrol:1.2.840.113556.1.4.803:=2)', 'msds-allowedtoactonbehalfofotheridentity', 'msds-allowedtodelegateto', 'msds-groupmanagedserviceaccount', '(accountexpires=9223372036854775807)', '(accountexpires=0)', '(admincount=1)', 'ms-mcs-admpwd']}, 'filter_generic': {'metadata|contains': ['(domainsid=', '(objectsid=', '(cn=']}, 'condition': 'selection_search and (((selection_generic or (selection_dn_enum and selection_allobject)) and not filter_generic) or selection_suspicious)'}

Log Source

Stellar Cyber Network Events configured for:

  • Requirements: Network/Security/Modular sensor must be able to capture network traffic

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0007, T1482, T1087.002, T1069.002

References

Severity

74

Suppression Logic Based On

  • srcip
  • dstip
  • stellar.rule_id

Additional Information

Maturity Creation Date Risk Level False Positives
test 2024/10/28 high

  • LDAP search requests sent by legitimate tools or services