Adversaries may use LDAP queries to search for sensitive Active Directory objects, such as service accounts or privileged users, to identify potential targets for lateral movement or privilege escalation. Proactively hunting for such queries in Azure Sentinel can help detect reconnaissance activities early, reducing the risk of undetected persistent access.
KQL Query
let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]";
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1"
id: 86d343dd-1b7c-496f-adba-be52469574d6
name: SensitiveLdaps
description: |
Detect Active Directory LDAP queries that search for sensitive objects in the organization
This LDAP query cover BloodHound tool
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
query: |
let SensitiveObjects = "[\"Administrators\", \"Domain Controllers\", \"Domain Admins\", \"Account Operators\", \"Backup Operators\", \"DnsAdmin\", \"Enterprise Admins\", \"Group Policy Creator Owners\"]";
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where SensitiveObjects contains QueryTarget or SearchFilter contains "admincount=1"
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: BloodHound reconnaissance using LDAP queries
Filter/Exclusion: ldap_request_operation == "search" && ldap_filter !~ "(&(objectClass=user)(userAccountControl:1.2.840.113549.1.1.8:=512))"
Rationale: BloodHound often performs LDAP searches to identify users and groups, which is part of legitimate security assessment activities.
Scenario: Scheduled job to sync user information with an external directory service
Filter/Exclusion: ldap_request_operation == "search" && ldap_filter !~ "(&(objectClass=user)(sAMAccountName=*))"
Rationale: Automated synchronization tasks may query user attributes, which is a common administrative task.
Scenario: Admin task to audit user permissions using LDAP
Filter/Exclusion: ldap_request_operation == "search" && ldap_filter !~ "(&(objectClass=user)(userAccountControl:1.2.840.113549.1.1.8:=512))"
Rationale: Administrators often query user objects to review permissions and group memberships during routine audits.
Scenario: LDAP query from a security tool like Microsoft Defender for Identity
Filter/Exclusion: source_ip == "10.0.0.0/8" || source_host == "defender-for-identity"
Rationale: Security tools may perform LDAP queries to monitor and analyze Active Directory for suspicious activity.
Scenario: LDAP query triggered by a PowerShell script for user management
Filter/Exclusion: ldap_request_operation == "search" && ldap_filter !~ "(&(objectClass=user)(sAMAccountName=*))"
Rationale: Scripts used for user provisioning or deprovisioning may query user objects, which is