...
index="winevent_dc_index" source="wineventlog:directory service" EventCode="2889"| rex field=_raw "(?ms)Binding\s+Type:\s+(?<typeBind>\d)"| table _time, host, EventCode, ClientIdentity, ClientIPAddress, typeBind
Truth Tables
| Bind | Signing | Certificate | Encryption | Result | |
|---|---|---|---|---|---|
Wireshark - SASL bind behavior
In observing the behavior of macOS connections, a SASL bind sequence is observed. This sequence is seen when macOS sits at the login screen, or when dscl runs queries. This sequence triggers a 2889 event code.
| Client: LDAP search for base properties of the directory. |  |
| Server: Result indicating that it support SASL GSSAPI bind. |  |
| Client: SASL bindRequest of type GSSAPI, on port 389. |  |
| Server: saslBindInProgress using GSS-API and specifying encryption type. |  |
| Client: SASL bindRequest of type GSSAPI, sending from port 88 (Kerberos). |  |
| Server: saslBindInProgress using GSS-API and hashes. |  |
| Client: SASL bindRequest of type GSSAPI, declaring credential hash. |  |
| Server: Bind success. |  |
Appendix: Raw text from testing notes
...