VulnComputers

Hunt Hypothesis

Adversaries may use LDAP queries to identify vulnerable operating systems in Active Directory, which could indicate reconnaissance for targeted exploitation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of potential lateral movement or privilege escalation attempts.

KQL Query

let ComputerObject = "objectCategory=computer";
let ComputerClass = "objectClass=computer";
let SamAccountComputer = "sAMAccountType=805306369";
let OperatingSystem = "operatingSystem=";
IdentityQueryEvents
| where ActionType == "LDAP query"
| parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
| where (SearchFilter contains ComputerObject or SearchFilter contains ComputerClass or SearchFilter contains SamAccountComputer) and
 SearchFilter contains OperatingSystem

Analytic Rule Definition

id: ab8b5893-0c82-4a8c-ae19-43669b3d1eba
name: VulnComputers
description: |
  Detect Active Directory LDAP queries that try to find operating systems that are vulnerable to specific vulnerabilities
  This LDAP query cover MetaSploit - enum_ad_computers tool
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - IdentityQueryEvents
query: |
  let ComputerObject = "objectCategory=computer";
  let ComputerClass = "objectClass=computer";
  let SamAccountComputer = "sAMAccountType=805306369";
  let OperatingSystem = "operatingSystem=";
  IdentityQueryEvents
  | where ActionType == "LDAP query"
  | parse Query with * "Search Scope: " SearchScope ", Base Object:" BaseObject ", Search Filter: " SearchFilter
  | where (SearchFilter contains ComputerObject or SearchFilter contains ComputerClass or SearchFilter contains SamAccountComputer) and
   SearchFilter contains OperatingSystem

Required Data Sources

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Discovery/VulnComputers.yaml)

False Positive Guidance

• Scenario: Scheduled System Inventory Scan
  Description: A legitimate scheduled job runs a system inventory scan using PowerShell’s Get-CimInstance or WMIC to collect OS information across the domain.
  Filter/Exclusion: Exclude LDAP queries originating from known inventory collection tools or scheduled tasks (e.g., C:\Windows\System32\wbem\ or C:\Windows\System32\Tasks\).

• Scenario: Active Directory Replication
  Description: Domain controllers perform regular LDAP replication between themselves, which may include queries about system information.
  Filter/Exclusion: Exclude LDAP traffic between domain controllers (e.g., source and destination IPs in the same domain controller subnet or with DNS names ending in .dc).

• Scenario: Admin Task – Enumerate Computers for Patching
  Description: An admin uses PowerShell’s Get-ADComputer or ADSI Edit to manually enumerate computers for patching or compliance checks.
  Filter/Exclusion: Exclude LDAP queries initiated from admin workstations or servers with known administrative roles (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\ or users in the Domain Admins group).

• Scenario: Third-Party Asset Discovery Tool
  Description: A third-party asset discovery tool like SolarWinds Server & Application Monitor or Microsoft Azure AD Connect performs LDAP queries to inventory systems.
  Filter/Exclusion: Exclude LDAP queries from known asset discovery tools (e.g., by IP address, hostname, or process name) or from specific service accounts used by these tools.

• Scenario: User-Initiated Computer Search
  Description: A user uses AD Users and Computers (ADUC) or PowerShell to search for computers by OS version or other attributes.