LDAP Reconnaissance

How to detect and mitigate LDAP Reconnaissance

When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, once an attacker has infiltrated any domain-joined computer, they are able to query Active Directory (AD) and its objects using Lightweight Directory Access Protocol (LDAP), allowing them to locate sensitive accounts and assets to target in their attack.

LDAP Reconnaissance is difficult to detect. Due the architecture of AD, searching AD for privileged information rarely requires privileged access rights.

    Request A Free Trial


    Stealthbits’ LDAP Reconnaissance Solution

    Stealthbits’ products provide a multitude of ways to detect and mitigate LDAP Reconnaissance.

    Detect LDAP Reconnaissance

    Detection of LDAP reconnaissance is possible by looking for abnormal LDAP query activity against Active Directory.

    APPROACH #1

    Admin Account Reconnaissance

    DESCRIPTION

    Monitor for LDAP activity that is explicitly performing reconnaissance on administrative groups and users within Active Directory.

    PRODUCT: StealthDEFEND

    APPROACH #2

    Service Account Reconnaissance

    DESCRIPTION

    Monitor for LDAP activity that is explicitly performing reconnaissance on service accounts (accounts with service principal names)

    PRODUCT: StealthDEFEND

    APPROACH #3

    BloodHound Detection

    DESCRIPTION

    Monitor for LDAP activity that is used by the attack path mapping tool BloodHound to show attackers how to move laterally across the network towards higher value targets.

    PRODUCT: StealthDEFEND

    DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

    Mitigate LDAP Reconnaissance

    LDAP reconnaissance is impossible to stop entirely, due to the design of Active Directory. However, it is important to make sure secure data is protected and safe from LDAP queries.

    APPROACH

    Sensitive Object & Attribute Permissions

    DESCRIPTION

    Ensure objects and attributes that should be protected (e.g. the ms-Mcs-AdmPwd attribute) are secured and cannot be exported through LDAP.

    PRODUCT: StealthAUDIT

    Seeing is believing.

    RESOURCES

    © 2022 Stealthbits Technologies, Inc.