STEALTHbits’ products provide a multitude of ways to detect and mitigate LDAP Reconnaissance.
Detection of LDAP reconnaissance is possible by looking for abnormal LDAP query activity against Active Directory.
Admin Account Reconnaissance
Monitor for LDAP activity that is explicitly performing reconnaissance on administrative groups and users within Active Directory.
Service Account Reconnaissance
Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names)
Monitor for LDAP activity that is used by the attack path mapping tool BloodHound to show attackers how to move laterally across the network towards higher value targets.
LDAP reconnaissance is impossible to stop entirely, due to the design of Active Directory. However, it is important to make sure secure data is protected and safe from LDAP queries.
Sensitive Object & Attribute Permissions
Ensure objects and attributes that should be protected (e.g. the ms-Mcs-AdmPwd attribute) are secured and cannot be exported through LDAP.