LDAP Reconnaissance
Reconnaissance is an important part of any successful attack. There are two key forms: initial or external reconnaissance that is performed before an adversary infiltrates an organization, and internal reconnaissance where they discover additional information and context about the organization’s environment. LDAP Reconnaissance is an internal reconnaissance technique used to discover users, groups, and computers in Active Directory. Adversaries can use LDAP queries to increase their knowledge of the environment, which can help them find targets and plan the next stages of their attack.
Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Hard
Mitigation:
Hard
Response:
Medium
LDAP Reconnaissance
Hover to see each step
Detect, Mitigate, and Respond
Difficulty: Hard
LDAP is one of the more frequently used protocols within Active Directory. Because of the high volume, it is difficult to separate an adversary’s queries from the normal operations of the environment. Active Directory does not provide a mechanism for logging the exact queries received, but some degree of profiling and monitoring for access to specific attributes can be achieved using Event ID 4662 in the subcategory Audit Directory Service Access.
Monitoring network traffic received by domain controllers for specific LDAP queries can provide for the detection of adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity.
Query | Target information |
---|---|
(&(ObjectClass=user)(servicePrincipalName=*)) | Collects all user objects which have a ServicePrincipalName Configured |
(userAccountControl:1.2.840.113556.1.4.803:=65536) | Objects which have Password Never Expires set |
(userAccountControl:1.2.840.113556.1.4.803:=4194304) | Objects which do not require Kerberos Pre-Authentication |
(sAMAccountType=805306369) | All Computer Objects |
(sAMAccountType=805306368) | All User Objects |
(userAccountControl:1.2.840.113556.1.4.803:=8192) | All Domain Controller Objects |
(primaryGroupID=512) | All Domain Admins using PrimaryGroupID |
Difficulty: Hard
Because of LDAP’s essential role in normal Active Directory operations, its use by an adversary that has infiltrated an organization cannot be prevented. Focus on mitigations that prevent the initial infiltration in the first place: user awareness & training, endpoint detection, and response, phishing detection, and prevention, email security, multi-factor authentication, etc.
Difficulty: Medium
If LDAP Reconnaissance is detected in the environment, the following actions can be taken:
- Activate the incident response process and alert the incident response team
If an adversary’s presence is confirmed:
- Reset the password and disable the user account performing reconnaissance
- Quarantine the source computer for forensic investigation, as well as eradication and recovery activities