TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

SDFlags | Huntress

2026-01-15 · Read original ↗

ATT&CK techniques detected

9 predictions
T1482Domain Trust Discovery
93%
“enumeration - computer object queries - domain object enumeration - trust relationship queries what they ' re asking : " who has permissions on these objects? " example from logs : filter : ( samaccounttype = 805306368 ) # computer accounts attributes : ntsecuritydescriptor, sama…”
T1069.002Domain Groups
72%
“even is ntsecuritydescriptor? i went back to microsoft documentation and found ms - dtyp section 2. 4. 6 : security _ descriptor. the structure contains four components : ownersid, groupsid, dacl ( discretionary access control list ), and sacl ( system access control list ). i ne…”
T1098.007Additional Local or Domain Groups
64%
“##unttype = 268435457 )... ) # security groups attributes : ntsecuritydescriptor, samaccountname, objectsid, member,... sdflags : 0x5 this makes sense when you think about attack paths. in a misconfigured environment, you might find something like this : group : " domain admins "…”
T1069.002Domain Groups
64%
“in my lab, everything was configured correctly. but in a production environment with years of changes, manual modifications, and inherited permissions? you might find : - help desk with writeproperty on domain admins ( can add members ) - a regular user account that owns a privil…”
T1087.002Domain Account
53%
“- who are the users? ( basic ldap query ) - what groups exist? ( basic ldap query ) - who is a member of what? ( member attribute ) - who has permissions on what? - this is ntsecuritydescriptor! without ntsecuritydescriptor, you can ' t see : - that a help desk group can modify p…”
T1069.002Domain Groups
52%
“to perform common tasks while i monitored event 1644 : legitimate activity : admin using aduc to check " domain admins " members : filter : ( distinguishedname = cn = domain admins, cn = users, dc = corp, dc = local ) attributes : member, description sdflags : [ none ] admin usin…”
T1482Domain Trust Discovery
48%
“##untname, objectsid, member,... sdflags : 0x5 sharphound cert template enumeration : attributes : ntsecuritydescriptor, distinguishedname, name,... sdflags : 0x5 they all query ntsecuritydescriptor. because without it, you can ' t map who has the ability to compromise what. unde…”
T1087.002Domain Account
46%
“to perform common tasks while i monitored event 1644 : legitimate activity : admin using aduc to check " domain admins " members : filter : ( distinguishedname = cn = domain admins, cn = users, dc = corp, dc = local ) attributes : member, description sdflags : [ none ] admin usin…”
T1098Account Manipulation
39%
“##unttype = 268435457 )... ) # security groups attributes : ntsecuritydescriptor, samaccountname, objectsid, member,... sdflags : 0x5 this makes sense when you think about attack paths. in a misconfigured environment, you might find something like this : group : " domain admins "…”

Summary

While investigating LDAP filters and attributes, I completely missed "SDFlags" in my Event 1644 logs. When I finally noticed it, the investigation led to nTSecurityDescriptor, attack path discovery, and a high-confidence detection signature.