Editor’s note: This is the second blog post in a series of blogs for using StealthDEFEND to defend against attacks. Read the first blog “Using StealthDEFEND to Defend Against Password Spraying”.
Introduction to LDAP Reconnaissance
When an attacker initially compromises a system on a network, they may have little to no privileges within the domain and likely will lack an understanding as to what privileges they do have. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are very likely to be able to query the directory and its objects using LDAP. This gives an attacker “eyes and ears” by allowing them to discover details about the Active Directory environment and allows them to locate targets such as sensitive accounts and other important assets to target in future attacks.
Because LDAP Reconnaissance is one of the first steps attackers will take, it may be the case that this type of activity will continue until an attacker has found what they need or what they were looking for in order to move to the next phase of an attack.
These attacks are also getting more sophisticated and effective due to new tools that can enhance an attacker’s reconnaissance and discovery process. One such example is BloodHound which utilizes graph theory to reveal the hard to discover and often unintended relationships within an Active Directory environment.
By utilizing LDAP queries, scripts, and tools such as bloodhound an attacker can quickly discover quite a bit about an Active Directory environment in a short amount of time. Luckily, by using STEALTHbits Agents Defenders can effectively monitor LDAP traffic in a domain, which allows us to detect this activity as its happening. A “LDAP Reconnaissance Threat” detected by StealthDEFEND can serve as a “Canary in the Coal Mine” by detecting and responding to an attacker’s first steps before they can take any serious actions.
LDAP Reconnaissance Detection with StealthDEFEND
StealthDEFEND has a specifically crafted threat to deal with LDAP Reconnaissance. This detection will monitor all LDAP traffic provided by the agents for specific patterns that show signs of LDAP reconnaissance.
These include more “general” patterns queries targeted at sensitive accounts and resources, as well as patterns that match a variety of recon tools such as Bloodhound. When an LDAP query is found to completely or partially match the criteria, an LDAP Reconnaissance threat will be generated.
The LDAP Reconnaissance Threat will display a summary of activity that generated the threat as well as a visualization that illustrates what user perpetrated the attack, the domain targeted and the number of objects returned:
We also surface evidence that provides the exact query that was executed as well as categorizing the type of query that was executed to quickly explain what the perpetrator was attempting to discover.
If a perpetrator uses multiple query types the threat will be appended with this information to show that multiple queries and methods have been used to the query the domain. It is very likely that the perpetrator will use a variety of queries.
LDAP Reconnaissance Threat Response with StealthDEFEND
Given the nature of LDAP Reconnaissance and its place in the cyber kill chain, this activity can be a warning sign of more serious activity to come. Once an attacker has begun this process, it is ideal to stop them before they have the information they need and it is essential to respond before they proceed to the next step.
The Automated Context Injection capabilities of StealthDEFEND provides us with the perpetrator, sources, targets, and query information related to the Reconnaissance attack that can be utilized by our response steps.
A standard response that will disable the perpetrator’s account, restricting permissions/access, and generally using steps to further prevent usage of the perpetrator’s account will go a long way to stopping this threat.
In the eventuality of a compromised machine, we also may choose to remove this client’s access to the network or utilize another method of direct intervention such as using a PowerShell Script to interact with an endpoint solution.
While the direct approach of restricting access and/or locking down accounts can be effective in stopping an attack before it gets more serious, even by simply utilizing the information gathered by StealthDEFEND we can notify and enable our teams to respond to the attack. By integrating with a number of third-party products such as Slack, Microsoft Teams, and ServiceNow we are able to easily have our teams be notified of the LDAP Reconnaissance and provide them the information they need to prevent further attacks quickly and efficiently.