Interesting AD/LDAP attributes for IR


Would be interested to know beyond samaccountname, displayname, lastlogin, location information (country, location, region), and mail, what other AD user attributes are you gathering when investigating users that were potentially targeted, based on an alert?



The SID is generally useful, especially when dealing with old shadow accounts and access to domain resources.

“A security identifier (SID) is a unique value that identifies a security principal or security
group in Windows operating systems. Well known generic users or generic groups such as
default Administrator or Guest account have defined well known SIDs which remains constant
across all Windows operating systems. Users’ account names are referred by the operating
system internally by their SIDs. Domain account SID is created by concatenating the SID of the
domain with a relative identifier (RID) for the account. SIDs are unique within their scope such
as domain or local, and are never reused. Account SID is created at the time of a particular
account creation. Local account or group SID is generated by the Local Security Authority
(LSA) on the computer and is stored in a secure area of the registry also known as Security
Account Manager (SAM). Domain account or group SID is generated by the domain security
authority and is stored as an attribute of that User or Group object in Active Directory (Microsoft
TechNet, 2003). Sometimes, an Investigator might see SID instead of the respective user or
group name in the GUI due to GUI display or SID resolving problems.”

1 Like


Hey @cody.cornell,

Honestly there are probably a number of properties that would be helpful.

Each situation would differ. However, knowing if an account is even active or not (helps to eliminate false positives unless recently reactivated etc) and then determining normal usage vs possible malicious targeting helps to elevate critical events.

To name a few: enabled, lastbadpasswordattempt, badpwdcount, LogonCount

If you are looking for higher risk accounts, try and determine PasswordNeverExpires, CannotChangePassword, PasswordNeverExpires, PasswordNotRequired, PasswordExpired

1 Like


Thanks @automator those are solid, definitely like the ones around high risk accounts. Legacy service accounts or ones the fall outside of password rotation requirements are always a gem of an audit finding too.



Cookies may be, I’m not sure though
if analytics is a part, then cookies are tracked for sure
User location is another element