AN1026: Analytic 1026
Behavioral detection of domain group enumeration via ldapsearch or custom scripts leveraging LDAP over the network.
Analyst context for executives and security teams
This analytic is about spotting Linux-based systems that enumerate domain groups over LDAP, commonly through ldapsearch or custom scripts. For leaders, the practical value is confirming whether the organization can see early identity reconnaissance against directory services before it turns into privilege targeting or broader intrusion activity.
Executive priority
Prioritize this as an identity and SOC visibility validation item rather than a standalone control. Security leaders should ask whether Linux endpoints and network paths to LDAP services are monitored, whether domain group enumeration is expected for legitimate administration, and whether SOC teams can distinguish routine directory queries from unusual reconnaissance. This supports incident readiness, identity governance evidence, and audit discussions around monitoring access to sensitive directory information.
Technical view
The supplied ATT&CK object defines a Linux-focused detection analytic for behavioral detection of domain group enumeration via ldapsearch or custom scripts using LDAP over the network. Because no official detection logic or tactic mapping is provided, teams should validate coverage through local telemetry: Linux process execution where available, command-line visibility for ldapsearch, network connections from Linux hosts to LDAP services, and directory-side logs showing group enumeration patterns. Detection engineering should baseline legitimate administrative and application-driven LDAP queries before alerting on unusual sources, volumes, query patterns, or first-seen hosts.
Likely telemetry
- Linux process execution telemetry, including command-line arguments where collected
- Network connection telemetry from Linux systems to LDAP services
- Directory or LDAP server logs showing group search or enumeration activity
- Authentication and account context associated with LDAP queries
- Asset inventory identifying Linux hosts expected to query directory services
Detection direction
- Confirm whether Linux command-line telemetry can identify ldapsearch usage; if not, rely more heavily on network and directory-side evidence.
- Baseline approved administrative tools, service accounts, and applications that perform LDAP group lookups to reduce false positives.
- Look for unusual Linux hosts, users, query volume, or timing associated with domain group enumeration over LDAP.
- Account for custom scripts: detections should not depend only on the ldapsearch process name if LDAP network behavior and directory query logs are available.
- Document blind spots where encrypted traffic, missing endpoint telemetry, or limited directory logging prevents confident analysis.
Mitigation priorities
- Maintain an inventory of Linux systems and accounts authorized to query directory services.
- Apply least-privilege access to directory information where operationally feasible.
- Ensure LDAP and directory service logging is enabled at a level sufficient for investigation and compliance evidence.
- Centralize Linux endpoint, network, and directory telemetry into SOC workflows for correlation.
- Review administrative practices so legitimate domain group enumeration is performed from known systems and accounts.
Analyst notes and limits
No ATT&CK tactics, relationships, or official detection logic were supplied, so this take focuses on defensive validation implied by the analytic description. The main decision value is whether identity reconnaissance over LDAP from Linux environments is visible, baselined, and triageable.
This summary is based only on the supplied STIX fields and external reference. It does not establish adversary attribution, active exploitation, guaranteed detection, or relevance beyond the Linux platform stated in the object. Local environment baselines are required to determine severity and alert thresholds.
Analytic 1026
Behavioral detection of domain group enumeration via ldapsearch or custom scripts leveraging LDAP over the network.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4ae00738c6bd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1026Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.