Huntress reported that LDAP Ping–based Active Directory username enumeration is not captured by Windows Event 1644 because the traffic is handled by netlogon.dll rather than the LDAP engine in ntdsa.dll. Testing of the ldapnomnom tool found its current implementation is more detectable than advertised: because it uses TCP instead of true UDP cLDAP, Windows can generate Security Event 5156 with the attacker source IP when Filtering Platform Connection auditing is enabled. Netlogon debug logging can also record each queried username and indicate whether accounts are enabled, disabled, or nonexistent.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
In a blog post published on 2026-06-19, Huntress analyzed LDAP Ping-based Active Directory username enumeration and concluded that ldapnomnom is more detectable than advertised because its current implementation uses TCP, which can generate Windows Security Event 5156 when Filtering Platform Connection auditing is enabled. The post also explained that true UDP cLDAP remains a logging blind spot for Windows event logs and discussed defender visibility through netlogon.log, packet capture, firewall logs, and Microsoft Defender for Identity.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.