LDAP Reconnaissance

How to detect and mitigate LDAP Reconnaissance

When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, once an attacker has infiltrated any domain-joined computer, they are able to query Active Directory (AD) and its objects using Lightweight Directory Access Protocol (LDAP), allowing them to locate sensitive accounts and assets to target in their attack.

LDAP Reconnaissance is difficult to detect. Due the architecture of AD, searching AD for privileged information rarely requires privileged access rights.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ LDAP Reconnaissance Solution

STEALTHbits’ products provide a multitude of ways to detect and mitigate LDAP Reconnaissance.

Detect LDAP Reconnaissance

Detection of LDAP reconnaissance is possible by looking for abnormal LDAP query activity against Active Directory.

APPROACH #1

Admin Account Reconnaissance

DESCRIPTION

Monitor for LDAP activity that is explicitly performing reconnaissance on administrative groups and users within Active Directory.

PRODUCT: StealthDEFEND

APPROACH #2

Service Account Reconnaissance

DESCRIPTION

Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names)

PRODUCT: StealthDEFEND

APPROACH #3

BloodHound Detection

DESCRIPTION

Monitor for LDAP activity that is used by the attack path mapping tool BloodHound to show attackers how to move laterally across the network towards higher value targets.

PRODUCT: StealthDEFEND

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate LDAP Reconnaissance

LDAP reconnaissance is impossible to stop entirely, due to the design of Active Directory. However, it is important to make sure secure data is protected and safe from LDAP queries.

APPROACH

Sensitive Object & Attribute Permissions

DESCRIPTION

Ensure objects and attributes that should be protected (e.g. the ms-Mcs-AdmPwd attribute) are secured and cannot be exported through LDAP.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x