Hunt For All Executed LDAP Queries From A Compromised Device
This guide uses KQL to detect executed LDAP queries originating from compromised devices. Monitoring LDAP traffic is critical for identifying suspicious behavior in cybersecurity environments. By targeting specific devices and time windows, the query efficiently surfaces LDAP activity that might indicate a breach or lateral movement within your network. The example covers Microsoft Defender for Endpoint and Microsoft Sentinel, showing how to tailor queries to these platforms to gain visibility into LDAP query logs.
Risk
LDAP queries executed from compromised devices can reveal sensitive directory information or facilitate unauthorized access if exploited by attackers. Failure to monitor and detect such activity may allow adversaries to escalate privileges, move laterally, or exfiltrate data unnoticed, increasing organizational risk.
Query
Microsoft Defender For Endpoint
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where Timestamp > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
Timestamp,
QueryType,
Query,
Protocol,
DeviceName,
DestinationDeviceName,
TargetAccountUpnMicrosoft Sentinel
let CompromisedDevice = "laptop1.com";
let SearchWindow = 48h; //Customizable h = hours, d = days
IdentityQueryEvents
| where TimeGenerated > ago(SearchWindow)
| where DeviceName == CompromisedDevice
| where Protocol == "Ldap"
| project
TimeGenerated,
QueryType,
Query,
Protocol,
DeviceName,
DestinationDeviceName,
TargetAccountUpnThe query sets a specific device name and a search window to filter LDAP queries logged in the last 48 hours. It focuses on events where the protocol is LDAP and projects key fields such as timestamp, query type, query content, device names, and targeted user accounts. This filtering allows security analysts to efficiently track LDAP activities from potentially compromised endpoints.