Darktrace Alert Details
Alert ID: DARKTRACE-REMOTE-DISCOVERY-1018-7842 Alert Time: 2024-02-24 10:30:22 EST Severity: MEDIUM (72/100) Source: Darktrace Enterprise Immune System Rule: “LDAP Query Anomaly – Potential Domain Reconnaissance” MITRE ATT&CK: T1018 – Remote System Discovery
Alert Details:
Detection: Unusual volume of LDAP queries from single host
Source Host: 192.168.45.78 (ENG-WS-045 – Engineering) Time: 10:15-10:30 EST LDAP Queries: 1,247 in 15 minutes (normal is 10-20)
Query Patterns:
10:15:15 – Query: (objectClass=computer) – list all computers
10:15:45 – Query: (&(objectClass=computer)(operatingSystem=server)) – find servers
10:16:12 – Query: (&(objectClass=computer)(operatingSystem=domain controller)) – find DCs
10:16:38 – Query: (cn=sql) – find SQL servers
10:17:05 – Query: (cn=exchange) – find Exchange servers
10:17:33 – Query: (cn=filesrv) – find file servers
10:18:01 – Query: (cn=print) – find print servers
10:18:28 – Query: (cn=vcenter) – find vCenter servers
10:19:15 – Query: (cn=esxi) – find ESXi hosts
(continuing with various system naming patterns)
Results Discovered:
Total Computers: 3,247
Domain Controllers: 4
SQL Servers: 23
Exchange Servers: 2
File Servers: 47
Print Servers: 12
Virtualization Hosts: 8
Detection Logic:
1,247 LDAP queries in 15 minutes (highly anomalous)
Process: powershell.exe (using ADSI)
Query patterns targeting specific system types
Pattern matches adversary remote system discovery
Additional Context:
Host ENG-WS-045 is engineering workstation
User: alexchen (engineer)
No legitimate reason for LDAP reconnaissance
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed LDAP reconnaissance
2. Process Investigation
Identify PowerShell script
CrowdStrike Falcon
Found Active Directory reconnaissance script
3. User Interview
Contact alexchen
Teams, Phone
User claims “learning PowerShell” – unauthorized
4. Immediate Action
Isolate host temporarily
CrowdStrike
ENG-WS-045 isolated
5. Script Removal
Delete reconnaissance script
CrowdStrike Live Response
Script removed from Downloads folder
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-125 Summary: T1018 – LDAP Reconnaissance for Remote System Discovery Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Reconnaissance Priority: P3 – LOW Labels: T1018, remote-discovery, ldap, darktrace, policy-violation Components: Identity-Monitoring, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “LDAP Query Anomaly – Potential Domain Reconnaissance”.
Source Host: ENG-WS-045 (Engineering Department, IP 192.168.45.78).
User: alexchen@company.com (Engineer).
Time: 2024-02-24 10:30 EST.
Technique: MITRE ATT&CK T1018 – Remote System Discovery.
2. Technical Analysis:
Reconnaissance Details:
Tool: PowerShell script using ADSI (Active Directory Service Interfaces)
Commands:
$searcher = New-Object DirectoryServices.DirectorySearcher([ADSI]”LDAP://company.com”)
$searcher.PageSize = 1000
# Find all computers
$searcher.Filter = “(objectClass=computer)”
$computers = $searcher.FindAll()
# Find servers by OS
$searcher.Filter = “(&(objectClass=computer)(operatingSystem=*server*))”
$servers = $searcher.FindAll()
# Find specific systems
$sqlServers = Get-ADComputer -Filter {Name -like “*sql*”}
$exchangeServers = Get-ADComputer -Filter {Name -like “*exchange*”}
# … and so on
Purpose: Comprehensive inventory of all systems in domain
Systems Discovered:
Total Computers: 3,247 (all workstations, servers)
Domain Controllers: 4 (critical infrastructure)
SQL Servers: 23 (database servers)
Exchange Servers: 2 (email servers)
File Servers: 47 (data storage)
Virtualization Hosts: 8 (VMware ESXi)
User Intent:
User claimed “learning PowerShell for automation”
No malicious intent identified
No authorization for domain-wide reconnaissance
Results saved to C:\Users\alexchen\Desktop\systems.txt
Policy Violation:
Unauthorized domain reconnaissance
Use of discovery techniques without approval
Discovery of critical systems could aid attackers
3. Investigation Findings:
Timeline:
10:15-10:30 – Reconnaissance performed
10:30 – Darktrace alert
10:32 – SOC investigates
10:35 – Host isolated
10:38 – Script identified and removed
10:40 – User interview
Indicators of Compromise (IoCs):
Files:
– C:\Users\alexchen\Downloads\ad_recon.ps1
– C:\Users\alexchen\Desktop\systems.txt
LDAP:
– 1,247 queries in 15 minutes
– Patterns: *server*, *sql*, *exchange*, *dc*, *filesrv*
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 temporarily.
Removed ad_recon.ps1 and systems.txt.
No further action needed (non-malicious).
User Remediation:
User counseled on policy violation.
Required to complete security training.
Documentation sent to manager.
Network Impact:
LDAP queries caused no performance issues.
Discovery data documented for security awareness.
5. Root Cause Analysis:
Primary Cause: User conducted unauthorized domain reconnaissance.
Contributing Factors:
No restrictions on LDAP queries.
User unaware of reconnaissance policy.
Curiosity about Active Directory.
6. Business Impact:
Operational Impact: None.
Security Impact: System inventory exposed to user (already had legitimate access).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
Reconnaissance script removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for high-volume LDAP queries.
Enhanced monitoring for AD reconnaissance.
Implemented application control for unauthorized scripts.
8. Conclusion:
An engineer conducted unauthorized LDAP reconnaissance to discover all systems in the domain, including critical infrastructure. Darktrace detected the anomalous query volume, enabling identification and removal of the script. The activity was a policy violation, not malicious.
Closure Rationale: Script removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 11:30 EST
End of Batch 17
Ready for your next batch of prompts whenever you are.
Batch 18: Discovery & Lateral Movement Incident Reports
Here are the next 5 detailed SOC incident reports.