TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The OID Problem: Writing LDAP Detections That Actually Work

2025-12-16 · Read original ↗

ATT&CK techniques detected

12 predictions
T1087.002Domain Account
98%
“##users. py for user enumeration - getadcomputers. py for computer inventory - getuserspns. py for kerberoasting preparation - finddelegation. py for delegation reconnaissance - secretsdump. py with - ldapfilter for dcsync preparation the techniques apply to any tool that uses ld…”
T1087.002Domain Account
97%
“##id to bitwise let me walk you through exactly what happens when impacket sends an ldap query to a domain controller. this isn ' t about event logging - this is about how active directory ' s ldap service actually processes queries at the protocol level. step 1 : the tool crafts…”
T1558.003Kerberoasting
96%
“1, 3 } \. \ d { 1, 3 } \. \ d { 1, 3 } \. \ d { 1, 3 } : \ d { 1, 5 } $ ' winlog. event _ data. ldapfilter | contains | all : - ' samaccounttype = 805306368 ' - ' useraccountcontrol & 4194304 ' condition : selection getuserspns. py ( kerberoasting ) : detection : selection : even…”
T1087.002Domain Account
93%
“, complementary to the event logs. be aware this logs on the client machine, not the dc, so you ' ll need to enable it on the endpoints you want to monitor. both perspectives matter. the server shows what the domain controller recorded, while the client shows who made the query, …”
T1087.002Domain Account
91%
“the oid problem : writing ldap detections that actually work the detection engineering gap most input detection rules come from one of two places : vendor feeds or breach reports. but there ' s a third way that ' s surprisingly underutilized — reading attacker source code and bui…”
T1003.006DCSync
80%
“= " give me authentication names and security ids for all users " when you request both together, you ' re essentially asking for exactly what you need to target accounts for dcsync attacks. no legitimate admin tool needs this specific combination. figure 5 : google results for "…”
T1654Log Enumeration
70%
“see this post. getadusers. py ( user enumeration ) : detection : selection _ event : event. code : 1644 selection _ filter : winlog. event _ data. ldapfilter | contains : ' ( samaccountname = * ) ' selection _ attrs : winlog. event _ data. attributesrequested | contains | all : -…”
T1087.002Domain Account
60%
“— they look smart but never fire. - event 1644 by itself isn ' t enough for attribution. pairing it with event 30 turns " someone did ldap queries " into " this specific tool from this ip performed delegation reconnaissance. " ( note : this correlation works for tools using wldap…”
T1087.002Domain Account
49%
“oid format? 1. 2. 840. 113556. 1. 4. 803 : = 2 that ' s what the client sent before ad translated it to bitwise. when you correlate these by timestamp and client ip, you get the full picture. event 30 proves the oid pattern was used, and event 1644 confirms ad processed it as a b…”
T1654Log Enumeration
40%
“##puters. py ( computer enumeration ) : detection : selection _ event : event. code : 1644 selection _ filter _ short : winlog. event _ data. ldapfilter | contains | all : - ' ( objectcategory = computer ) ' - ' ( objectclass = computer ) ' selection _ filter _ long : winlog. eve…”
T1654Log Enumeration
38%
“selection : winlog. event _ data. ldapfilter | contains : ' useraccountcontrol & ' # result : actually fires on impacket activity ad usually preserves case, but not always : winlog. event _ data. ldapfilter | contains : - ' useraccountcontrol & 524288 ' and different tools might …”
T1040Network Sniffing
36%
“##6. 1. 4. 803 is microsoft ' s registered oid ( object identifier ) which means " perform a bitwise and matching operation. " think of oids as a standardized way for different ldap implementations to understand complex operations without hardcoding vendor - specific syntax. the …”

Summary

Learn why your LDAP detection rules never fire and how to fix them. Hint: it's the OID-to-bitwise transformation.