Threat (Discovery)

When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack.

How LDAP Reconnaissance Works

The following is a summarization of how the attack works:

1. An attacker obtains access to any domain-joined system (e.g. via phishing, social engineering, etc.).
2. Using PowerShell, the attacker crafts and executes queries against Active Directory objects, searching for various conditions including:
   1. User objects containing Service Principal Names (SPNs), indicating the accounts are used to run services to support applications like Microsoft SQL Server and SharePoint
   2. The membership of Sensitive Security Groups like Domain, Enterprise, and Schema Admins, listing the user accounts containing the highest level of privilege in the domain
   3. The location of high-profile assets, such as file servers, SQL databases, and Active Directory Domain Controllers

Important Notes about LDAP Reconnaissance:

• Due to the way in which Active Directory is architected, searching AD for privileged information rarely requires privileged access rights.
• While Service Principal Names (SPNs) make it easy to locate Service Accounts (which are prime targets because they often contain privileged access rights and have loose password expiration restrictions), there are other variables an attacker can query to identify accounts that are likely Service Accounts such as the “Password Expiration” setting on each user’s account configured via User Account Control.

Video Tutorial

Watch this brief video of an LDAP Reconnaissance attack in action:

Potential Solutions and Mitigating Controls for LDAP Reconnaissance

While you can’t prevent users from crafting or executing LDAP queries against your Domain Controllers, you can implement measures to make it more difficult for users to do so like ensuring users don’t have Local Admin rights to their systems or limiting the information that can be returned through object permission modifications.

Additionally, implementing monitoring for suspicious LDAP queries like those targeting SPNs, memberships of Sensitive Security Groups, sensitive servers, or other known sensitive resources from unconventional locations can also help to detect attackers early on in the attack kill chain.

Addtional Resources

LDAP Reconnaissance Resources:

• https://blog.stealthbits.com/discovering-service-accounts-without-using-privileges/
• https://blog.stealthbits.com/LDAP-monitoring-for-security/

Related Attacks & Concepts:

• https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/

Solutions:

• https://www.stealthbits.com/stealthaudit-for-active-directory-product
• https://www.stealthbits.com/stealthintercept-product