Blog Post

Core Infrastructure and Security Blog

11 MIN READ

Active Directory Hardening Series - Part 3 – Enforcing LDAP Signing

Microsoft

Mar 04, 2024

Hi all! Jerry Devore back again to continue talking about hardening Active Directory. If you have been following this series, I hope you have been able to enforce NTLMv2, remove SMBv1 from your dom...

Updated Nov 07, 2024

Version 6.0

ADHardening

JerryDevore

Microsoft

Joined September 20, 2018

View Profile

Core Infrastructure and Security Blog

Follow this blog board to get notified when there's new activity

Glenn_Jefferson

Copper Contributor

Sep 27, 2024

Like Andy I've been using Splunk to track this info do in various ways. Here is one method (removed Domain Name, just replace with your own). Splunk is great for finding this... getting app owners to "care/update" is what is channeling 🙂

sourcetype=WinEventLog EventCode=2889 ComputerName=*.DOMAINFQDN
| rex field=Message "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=Message "(?<username>.*DOMAIN\S.*)"
| rex field=Message "Binding Type:\s*(?<binding_type>[\d]+)"
| table ComputerName, ip, username, binding_type
| dedup ip

another:

sourcetype=WinEventLog EventCode=2889
| rex field=Message "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| rex field=Message "Binding Type:\s*(?<binding_type>[\d]+)"
| rex field=Message "Identity the client attempted to authenticate as:\s*(?<username>.*\S.*)"
| table ComputerName, ip, username, binding_type
| dedup ip