Netwrix Auditor 
Netwrix Enterprise Auditor 
Netwrix Data Classification 
Netwrix GroupID 
Netwrix Privilege Secure 
Netwrix Endpoint Protector 
LDAP Reconnaissance
Reconnaissance is an important part of any successful attack. There are two key forms: initial or external reconnaissance that is performed before an adversary infiltrates an organization, and internal reconnaissance where they discover additional information and context about the organization’s environment.
LDAP reconnaissance is an internal reconnaissance technique attackers use to discover users, groups and computers in Active Directory. They use LDAP queries to increase their knowledge of the environment, which can help them find targets and plan the next stages of their attack. Because this technique is used by adversaries who have already infiltrated an organization, it is an internal (rather than external) reconnaissance technique.
Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Hard
Mitigation:
Hard
Response:
Medium
Performing Reconnaissance using LDAP
STEP 1
Obtain a foothold
Adversaries use a variety of techniques to gain a foothold in an organization’s IT environment, including phishing, watering hole and password spraying attacks. Here is how an adversary who has obtained a list of possible usernames can conduct a password spraying attack using Spray, a bash script made to perform password spray attacks on multiple platforms, against the organization’s virtual private network (VPN) server:
[attacker@machine ~]$ spray.sh -cisco vpn.org.com usernames.txt passwords.txt 1 35
Valid Credentials joed Summer2020
STEP 2
Perform reconnaissance using LDAP
The adversary uses the compromised credentials to authenticate to the VPN and gain network access, and then uses those same credentials to query Active Directory. They can enumerate Active Directory using the ActiveDirectory PowerShell module, or automate the discovery using tools like BloodHound and PowerSploit. In this example, the adversary uses PowerShell to look for possible passwords in users’ description attributes:
PS> Import-Module ActiveDirectory
PS> Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName
SAMAccountName Description DistinguishedName
-------------- ----------- -----------------
Alice Password: P@ssw0rd123! CN=Alice,OU=Users,DC=domain,DC=com
PS>
STEP 3
Use information to further objectives
Using the credentials they have found, the adversary conducts further internal reconnaissance using tools like BloodHound and SharpHound, which assist with untangling complex webs of permissions. Using this information, the adversary can map out pathways to objectives, such as domain dominance.
The graphic below illustrates an example. Suppose an attacker gains the credentials for the user account Alice. That account has
The graphic below illustrates an example. Suppose an attacker gains the credentials for the user account Alice. That account has
WriteDACL and WriteOwner permissions to the user Eve, which means Alice can grant herself access to Eve’s account. Eve has rights to reset the password of the account Bob, and Bob has permissions (granted through AdminSDHolder propagation) to modify the Domain Admins group. Therefore, finding Alice’s password was very valuable the adversary!
Result
After collecting data withSharpHound.exe -C All the adversary can load the data set into BloodHound to explore pathways to domain dominance.
Detect, Mitigate and Respond
Detect
Mitigate
Respond
Difficulty:
Hard
The LDAP protocol is used frequently in Active Directory, so it is difficult to separate malicious queries from legitimate ones. Moreover, Active Directory does not provide a mechanism for logging the exact queries received; however, some degree of profiling and monitoring for access to specific attributes can be achieved using event 4662 in the subcategory Audit Directory Service Access.
Monitoring network traffic received by domain controllers for specific LDAP queries can help you detect adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity:
Monitoring network traffic received by domain controllers for specific LDAP queries can help you detect adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity:
| Query | Information Collected |
| (&(ObjectClass=user)(servicePrincipalName=*)) | All user objects that have a ServicePrincipalName configured |
| (userAccountControl:1.2.840.113556.1.4.803:=65536) | Objects that have Password Never Expires set |
| (userAccountControl:1.2.840.113556.1.4.803:=4194304) | Objects that do not require Kerberos pre-authentication |
| (sAMAccountType=805306369) | All computer objects |
| (sAMAccountType=805306368) | All user objects |
| (userAccountControl:1.2.840.113556.1.4.803:=8192) | All domain controller objects |
| (primaryGroupID=512) | All Domain Admins using PrimaryGroupID |
Difficulty:
Hard
Because LDAP plays an essential role in normal Active Directory operations, organizations cannot simply block its use. Instead, focus on mitigations that prevent infiltration in the first place: user awareness and training, endpoint compromise detection and response, phishing detection and prevention, email security, multi-factor authentication (MFA), and so on.
Difficulty:
Medium
If LDAP reconnaissance is detected in the environment, activate the incident response process and alert the incident response team.
If an adversary’s presence is confirmed:
If an adversary’s presence is confirmed:
- Reset the password and disable the user account performing reconnaissance.
- Quarantine the source computer for forensic investigation and eradication and recovery activities.
Detect
Difficulty:
Hard
The LDAP protocol is used frequently in Active Directory, so it is difficult to separate malicious queries from legitimate ones. Moreover, Active Directory does not provide a mechanism for logging the exact queries received; however, some degree of profiling and monitoring for access to specific attributes can be achieved using event 4662 in the subcategory Audit Directory Service Access.
Monitoring network traffic received by domain controllers for specific LDAP queries can help you detect adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity:
Monitoring network traffic received by domain controllers for specific LDAP queries can help you detect adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity:
| Query | Information Collected |
| (&(ObjectClass=user)(servicePrincipalName=*)) | All user objects that have a ServicePrincipalName configured |
| (userAccountControl:1.2.840.113556.1.4.803:=65536) | Objects that have Password Never Expires set |
| (userAccountControl:1.2.840.113556.1.4.803:=4194304) | Objects that do not require Kerberos pre-authentication |
| (sAMAccountType=805306369) | All computer objects |
| (sAMAccountType=805306368) | All user objects |
| (userAccountControl:1.2.840.113556.1.4.803:=8192) | All domain controller objects |
| (primaryGroupID=512) | All Domain Admins using PrimaryGroupID |
Mitigate
Difficulty:
Hard
Because LDAP plays an essential role in normal Active Directory operations, organizations cannot simply block its use. Instead, focus on mitigations that prevent infiltration in the first place: user awareness and training, endpoint compromise detection and response, phishing detection and prevention, email security, multi-factor authentication (MFA), and so on.
Respond
Difficulty:
Medium
If LDAP reconnaissance is detected in the environment, activate the incident response process and alert the incident response team.
If an adversary’s presence is confirmed:
If an adversary’s presence is confirmed:
- Reset the password and disable the user account performing reconnaissance.
- Quarantine the source computer for forensic investigation and eradication and recovery activities.
Featured Solutions
OTHER ATTACKS
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.