Query Details
LDAP Cross Domain Enumeration
Query
# *LDAP Cross-Domain Enumeration*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1087.002 | Domain Account | https://attack.mitre.org/techniques/T1087/002/ |
| T1069.002 | Domain Groups | https://attack.mitre.org/techniques/T1069/002/ |
#### Description
This rule detects a single device performing LDAP queries for user objects across multiple domains within a short timeframe. This behavior can indicate reconnaissance activity by an attacker attempting to map the Active Directory environment.
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
## Defender XDR
```KQL
let LookbackWindow = 2h;
IdentityQueryEvents
| where TimeGenerated >= ago(LookbackWindow)
| where ActionType == "LDAP query"
| where Application == "Active Directory"
| extend AF = parse_json(AdditionalFields)
| extend
BaseObject = tostring(AF.BaseObject),
SearchFilter = tostring(AF.SearchFilter),
FromDevice = tostring(AF["FROM.DEVICE"]),
SourceOS = tostring(AF.SourceComputerOperatingSystem)
| where BaseObject matches regex @"^DC=" // Root-Domain
| where SearchFilter has "(objectClass=user)"
| extend Domain = extract(@"DC=([^,]+),DC=ds", 1, BaseObject)
| where isnotempty(Domain)
| summarize
Domains = make_set(Domain),
DomainCount = dcount(Domain),
QueryCount = count(),
BaseObjects = make_set(BaseObject, 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by FromDevice, IPAddress, SourceOS
| where DomainCount >= 2 // at least two domains
| extend TimespanMin = datetime_diff("minute", LastSeen, FirstSeen)
| project
FirstSeen,
LastSeen,
TimespanMin,
FromDevice,
IPAddress,
SourceOS,
DomainCount,
Domains,
QueryCount,
BaseObjects
| order by DomainCount desc, QueryCount desc
```
Explanation
This query is designed to detect potential reconnaissance activity within an Active Directory environment by identifying devices that perform LDAP queries for user objects across multiple domains in a short period of time. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at LDAP query events from the past 2 hours.
-
Filter Criteria:
- It focuses on events where the action type is "LDAP query" and the application is "Active Directory".
- It extracts additional fields from the query to identify the base object, search filter, originating device, and source operating system.
-
Domain Filtering:
- It checks if the base object of the query is a root domain (indicated by "DC=").
- It ensures the search filter is looking for user objects (indicated by "(objectClass=user)").
- It extracts the domain name from the base object.
-
Aggregation:
- It groups the results by the device from which the query originated, along with its IP address and operating system.
- It counts the number of unique domains queried and the total number of queries made.
- It also records the first and last time the queries were seen.
-
Suspicious Activity Detection:
- It flags devices that have queried at least two different domains.
- It calculates the time span between the first and last query.
-
Output:
- It presents the results ordered by the number of domains queried and the total number of queries, showing details like the time span of activity, device information, and the domains queried.
In essence, this query helps identify devices that might be performing suspicious cross-domain enumeration, which could be indicative of an attacker mapping out the network's Active Directory structure.
Details
Benjamin Zulliger
Released: June 22, 2026
Tables
IdentityQueryEvents
Keywords
DeviceUserDomainActiveDirectoryLDAPIPAddressOperatingSystem
Operators
let|where>=ago==extendparse_jsontostringmatches regexhasextractisnotemptysummarizemake_setdcountcountminmaxbydatetime_diffprojectorder bydesc