From Code to Coverage: A Detection Engineer's Journey Through the LDAP Wilderness
Active Directory reconnaissance tools like BloodHound, Impacket, and SOAPHound are the attacker’s first move in enterprise compromises, yet detecting their LDAP queries remains one of the hardest problems in security operations. This talk chronicles a six month journey from writing my first broken Sigma rule to building a complete, evasion resistant LDAP detection stack.
You’ll learn why traditional signature based detection fails spectacularly, how to think like both an attacker and a parser, and how mathematical approaches can outsmart evasion techniques. We’ll cover OID transformations that break your rules, whitespace variations that mock your regex, hidden LDAP parameters that bypass your detections, and ultimately, statistical methods that make evasion mathematically impossible.
This isn’t theory. Every technique is battle tested in production environments with working Sigma rules, real attack logs, and actual false positive rates. Leave with detection rules and techniques you can deploy Monday morning.
BloodHound, Impacket, SOAPHound. Every red teamer’s starting point, every blue teamer’s blind spot. LDAP reconnaissance is how attackers learn your environment before you know they’re there, and most detections for it are embarrassingly easy to bypass. This talk started as a failure. A Sigma rule that looked right, passed review, and caught nothing in production. Six months later, it turned into a complete LDAP detection stack that’s caught tools the vendor community hadn’t even documented yet. We’ll get into the specific mechanics of why detections break. OID transformations that silently invalidate your rules, whitespace variations that make regex useless, SDFlags queries that walk straight past ACL monitoring. Then we’ll flip the problem. Instead of chasing attacker syntax, we’ll use Event 1644’s performance fields to detect enumeration behavior statistically, something no amount of query obfuscation can hide. We’ll also cover ADWS correlation for catching PowerShell-based recon that never touches LDAP at all. Everything here is running in production. You’ll get real false positive rates, real tuning decisions, and Sigma rules and detection techniques you can actually use.