From 0f55e70a4f21d0f253a788db29f9d4a9071dfeb5 Mon Sep 17 00:00:00 2001
From: Frank Korving <korving.f@gmail.com>
Date: Wed, 28 Dec 2022 13:45:37 +0200
Subject: [PATCH 1/3] Update win_ldap_recon.yml

Adds additional IOC for [bloodhound.py](https://github.com/fox-it/BloodHound.py/blob/master/bloodhound/ad/domain.py#L427).
---
 rules/windows/builtin/ldap/win_ldap_recon.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
index d9d3365e3..d8bdf44f3 100644
--- a/rules/windows/builtin/ldap/win_ldap_recon.yml
+++ b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -67,6 +67,7 @@ detection:
             - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
             - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
             - 'msDS-AllowedToDelegateTo'
+            - 'msDS-GroupManagedServiceAccount'
             - '(accountExpires=9223372036854775807)'
             - '(accountExpires=0)'
             - '(adminCount=1)'

From bf79fa78bcd46039ef4659eca7d577d1cfc15a30 Mon Sep 17 00:00:00 2001
From: Korving-F <korving.f@gmail.com>
Date: Wed, 28 Dec 2022 14:52:27 +0200
Subject: [PATCH 2/3] Updates modified timestamp

---
 rules/windows/builtin/ldap/win_ldap_recon.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
index d8bdf44f3..c50d2f068 100644
--- a/rules/windows/builtin/ldap/win_ldap_recon.yml
+++ b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -9,7 +9,7 @@ references:
     - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
 author: Adeem Mawani
 date: 2021/06/22
-modified: 2022/12/14
+modified: 2022/12/28
 tags:
     - attack.discovery
     - attack.t1069.002

From a1038670aa88075f23aca98b05791d99137cc147 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 28 Dec 2022 16:17:46 +0100
Subject: [PATCH 3/3] feat: add new reference

---
 rules/windows/builtin/ldap/win_ldap_recon.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml
index c50d2f068..1a39c5011 100644
--- a/rules/windows/builtin/ldap/win_ldap_recon.yml
+++ b/rules/windows/builtin/ldap/win_ldap_recon.yml
@@ -7,6 +7,7 @@ references:
     - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
     - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
     - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
+    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
 author: Adeem Mawani
 date: 2021/06/22
 modified: 2022/12/28