[New Rule] ADExplorer collecting Active Directory information #4697
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This rule will be used to detect hackers using ADExplorer to create AD snapshots, which can then be imported in bloodhound using: https://github.com/c3c/ADExplorerSnapshot.py
Some info regarding the way to detect this using LDAP query telemetry, can be found on the following page:
https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
Target Ruleset
None
Target Rule Type
None
Tested ECS Version
No response
Query
No response
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
https://github.com/c3c/ADExplorerSnapshot.py
Redacted Example Data
No response
The text was updated successfully, but these errors were encountered: