Closed Cyb3rSn0rlax closed 2 years ago
Thank you @H1L021 ! would you mind adding the following:
- event_id: LdapSearch
name: LdapSearch
platform: Windows
audit_category: null
log_channel: DeviceEvents
log_provider: Microsoft Defender for Endpoint
Thank you!
Thank you, man! 🚀
Addin process searched ldap relationship. a Host-based ETW provider for LDAP search filter performed by a process. This event provides valuable data like PID, search filter and attributes. This is particularly useful for detecting internal discovery techniques performed by tools like SharpHound and Rubeus...etc