2020-05-11 15:40:47 +00:00
title : Enumeration via the Global Catalog
description : Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
author : Chakib Gzenayi (@Chak092), Hosni Mribah
id : 619b020f-0fd7-4f23-87db-3f51ef837a34
date : 2020 /05/11
2020-08-24 23:29:57 +00:00
modified : 2020 /08/23
2020-05-11 15:40:47 +00:00
tags :
- attack.discovery
2020-08-24 23:09:17 +00:00
- attack.t1087 # an old one
- attack.t1087.002
2020-05-11 15:40:47 +00:00
logsource :
product : windows
service : system
2020-07-13 21:02:17 +00:00
definition : 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
2020-05-11 15:40:47 +00:00
detection :
selection :
EventID : 5156
DestinationPort :
- 3268
- 3269
timeframe : 1h
condition : selection | count() by SourceAddress > 2000
falsepositives :
- Exclude known DCs.
level : medium