Reconnaissance is an important part of any successful attack. There are two key forms: initial or external reconnaissance that is performed before an adversary infiltrates an organization, and internal reconnaissance where they discover additional information and context about the organization’s environment. LDAP Reconnaissance is an internal reconnaissance technique used to discover users, groups, and computers in Active Directory. Adversaries can use LDAP queries to increase their knowledge of the environment, which can help them find targets and plan the next stages of their attack.
Hover to see each step
Step 1: Adversaries may gain a foothold within an organization in any number of ways, from phishing to watering hole to password spraying attacks. In this example, an adversary, after having completed initial reconnaissance to produce a list of possible usernames, conducts a password spraying attack (using a tool like Spray) against the organization’s virtual private network (VPN) server.
[attacker@machine ~]$ spray.sh -cisco vpn.org.com usernames.txt passwords.txt 1 35 Valid Credentials joed Summer2020
Step 2: Next, using the compromised credential, the adversary authenticates to the VPN to gain network access and can use those same credentials to query Active Directory. Adversaries can live off the land and use PowerShell and the
ActiveDirectory module to enumerate Active Directory. Additionally, tools such as BloodHound and PowerView provide full automation for the discovery of relevant information. In this example, the adversary uses PowerShell to run a query against the directory looking for possible passwords in users’
PS> Import-Module ActiveDirectory PS> Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName SAMAccountName Description DistinguishedName -------------- ----------- ----------------- Alice Password: P@ssw0rd123! CN=Alice,OU=Users,DC=domain,DC=com PS>
Step 3: Having discovered credentials they can steal, the adversary conducts further internal reconnaissance using tools such as BloodHound and SharpHound, which assist with untangling complex webs of permissions. Using this information, the adversary can map out pathways to certain objectives (like achieving domain dominance). In this example, Alice has
WriteOwner permissions to the user Eve, which means Alice can grant herself access to Eve’s account; Eve has access to reset the password of Bob; and, Bob has permissions (granted through AdminSDHolder propagation) to modify the Domain Admins group, which confirms for the adversary that finding Alice’s password was very valuable.
After collecting data with
SharpHound.exe -C All the adversary can load the data set into BloodHound to explore pathways to domain dominance.
Detect, Mitigate, and Respond
LDAP is one of the more frequently used protocols within Active Directory. Because of the high volume, it is difficult to separate an adversary’s queries from the normal operations of the environment. Active Directory does not provide a mechanism for logging the exact queries received, but some degree of profiling and monitoring for access to specific attributes can be achieved using Event ID 4662 in the subcategory Audit Directory Service Access.
Monitoring network traffic received by domain controllers for specific LDAP queries can provide for the detection of adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity.
|Collects all user objects which have a ServicePrincipalName Configured|
|Objects which have Password Never Expires set|
|Objects which do not require Kerberos Pre-Authentication|
|All Computer Objects|
|All User Objects|
|All Domain Controller Objects|
|All Domain Admins using PrimaryGroupID|
Because of LDAP’s essential role in normal Active Directory operations, its use by an adversary that has infiltrated an organization cannot be prevented. Focus on mitigations that prevent the initial infiltration in the first place: user awareness & training, endpoint detection, and response, phishing detection, and prevention, email security, multi-factor authentication, etc.
If LDAP Reconnaissance is detected in the environment, the following actions can be taken:
- Activate the incident response process and alert the incident response team
If an adversary’s presence is confirmed:
- Reset the password and disable the user account performing reconnaissance
- Quarantine the source computer for forensic investigation, as well as eradication and recovery activities