Post-Compromise LDAP Reconnaissance in Active Directory (FDR)

Detects aggressive Active Directory enumeration via LDAP/LDAPS connections from non-standard processes, a common technique after initial compromise in domain-joined environments per the LOTL model of hands-on-keyboard adversaries