Adding process_searched_ldap.yml

OTRF / OSSEM-DM

OSSEM Detection Model

MIT License

167 stars 43 forks source link

Adding process_searched_ldap.yml #41

Closed Cyb3rSn0rlax closed 2 years ago

Cyb3rSn0rlax commented 2 years ago

Addin process searched ldap relationship. a Host-based ETW provider for LDAP search filter performed by a process. This event provides valuable data like PID, search filter and attributes. This is particularly useful for detecting internal discovery techniques performed by tools like SharpHound and Rubeus...etc

Cyb3rWard0g commented 2 years ago

Thank you @H1L021 ! would you mind adding the following:

- event_id: LdapSearch
  name: LdapSearch
  platform: Windows
  audit_category: null
  log_channel: DeviceEvents
  log_provider: Microsoft Defender for Endpoint

Thank you!

Cyb3rWard0g commented 2 years ago

Thank you, man! 🚀