The start of Active Directory attacks, like LDAP Reconnaissance, involves finding vulnerabilities on a network and grabbing “intel” about sensitive accounts like Domain, Enterprise, and Schema Admins. After an attacker initially compromises a system on a network, they will pretty much have no privileges in the domain. This leaves an attacker hungry for more, and with the way Active Directory is designed, they can query objects inside a directory pretty easily.
LDAP queries are key in an attacker gaining this intel on user objects with service principal names (SPNs), memberships of sensitive security groups, and the locations of high profile assets like SQL databases, domain controllers or file servers. Once an attacker gets access to any domain-joined system, they are able to create simple PowerShell queries to search and launch the discovery of the environment.
You cannot prevent users from creating or executing LDAP queries on the network, but you can certainly make it more difficult. One way is to ensure users do not have Local Admin rights to their systems. StealthAUDIT has great reporting in order to audit Local Admin rights and membership changes as well. The great thing about how StealthAUDIT collects this data is that it is all agentless! Our platform can even discover all of the endpoints on the network for you as well in order to make sure you are always covered in monitoring privileged accounts on all systems in the environment.
On top of that, implementing monitoring for strange or suspicious LDAP queries can help you detect an attacker who is just getting started. Modern SIEM technologies have improved their ability to scale to collect, index and report on terabytes of any machine-generated data; however, SIEMs are only as good as the information they receive. StealthDEFEND provides the monitoring of LDAP reconnaissance threats by leveraging our agent for LDAP monitoring and being smart about suspicious queries. Built into the DEFEND platform are threats and alerts that know about these suspicious queries against the network and ones that return an abnormal amount of objects. The product can also detect when users are using a tool like Bloodhound to map out attack paths on the network.
If you have not tried our StealthAUDIT for Windows or our StealthDEFEND for File Systems products, I strongly suggest you give it a try! We have solutions here at STEALTHbits to help mitigate controls for LDAP Reconnaissance and the start of an attacker’s path to compromising assets.
Check out the video tutorial of LDAP Reconnaissance on our attack site here: https://attack.stealthbits.com/ldap-reconnaissance-active-directory
Dan is a Presales Engineer at Stealthbits – Now part of Netwrix. Prior to moving over to Presales, Dan worked as a Technical Product Manager.
Related Posts
- PROTIP – How to Purge Data in StealthAUDIT
- PROTIP – Fulfill a DSAR with StealthAUDIT 11.0
- Best Practices – Setting up StealthAUDIT SQL Server Database
- ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
- Pro Tip – StealthINTERCEPT DB Maintenance Best Practices
- PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks
- PROTIP: How to Update the “Have I Been Pwned” (HIBP) Breach Dictionary in StealthINTERCEPT Enterprise Password Enforcer and StealthAUDIT
- Protip: How to Setup User Activity & Database Logon Scans in StealthAUDIT for Oracle
- ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer
- Protip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for SQL
Leave a Reply