Preventing LDAP Reconnaissance - The First Step of AD Attack

Preventing LDAP Reconnaissance- The First Step of AD Attacks

By John Gates

May 7th, 2020

Due to the architecture of Active Directory, once a domain-joined computer is breached, the attacker is able to map the network, locate sensitive accounts and assets, and estimate vulnerabilities. The process is possible by querying the Active Directory (AD) using the LDAP protocol.

What is the difference between LDAP and Active Directory:

LDAP (Lightweight Directory Access Protocol) is a cross-platform protocol used for authentication to the directory services. LDAP is used for the communication between the application and the directory services servers which store and share information about users, passwords, and computer accounts.

LDAP is the communication protocol with the AD. Many different directory services (not only Microsoft AD) can understand the LDAP protocol.

Domain Controller: LDAP Server Signing Requirements

LDAP Reconnaissance:

LDAP reconnaissance is one of the first steps and the foundation of almost every AD attack. An attacker can use this technique to gather data without credentials. By using tools such as Bloodhound and PowerView, the attacker can map your network, find sensitive assets, domain admins, and vulnerable services.

An example of a Bloodhound generated map to find Domain Admin.

How the attack works:

An attacker gets access to a user in the domain (via phishing or any other method).
The attacker uses PowerShell to create queries against AD objects to find out information about:

* User objects containing Service Principal Names (SPN) that will indicate if the account has the privileges to run services to support applications like SQL server.
* Whether the user is a member of Sensitive Security Groups such as Domain, Enterprise, and Schema Admins. This allows the attacker to list the highest privileged accounts in the domain.
* Location of high profile assets like file servers, databases, and AD Domain Controllers.

The LDAP is deployed as a default part of the domain controller services, and in most environments stays like that. This means that with default configurations every account in the domain has the permission to perform reconnaissance. So basically, a single point of failure on any standard user account can lead to a large-scale breach.

What can be done to lower the risk for an LDAP Reconnaissance attack:

Because it is essential to allow LDAP queries to the users in the domain, preventing LDAP reconnaissance by changing configuration will dramatically harm your production. The next option is based on auditing and hunting LDAP based attacks. This is done mainly by using LDAP search filters and system auditing configurations.

Detecting Anomalies:

Unusual queries that can be suspected to be part of malicious reconnaissance need to be searched for. For example, an LDAP query that aims to collect many different entities from the domain can be a sign for malicious activity:

Process: sharphound.exe

DistinguishName: DC=lmsdn,DC=local

ScopeOfSearch: SubTree

AttributeList: [“objectsid”,”distiguishedname”,”samaccountname”,

“distinguishedname”,”samaccounttype”,”member”,”cn”,”primarygroupid”,

“dnshostname”,”ms-mcs-admpwdexpirationtime”]

SearchFilter:

(|

(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870912)(smaccounttype=536870913)(primarygroupid=*))

(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

(objectclass=domain)

)

The following list was compiled by Microsoft Defender ATP Research Team and contains suspicious search filter queries, used with recon tools, that highlights LDAP query filters originating from fileless of file-based execution:

Recon tool	Filter
enum_ad_user_comments (Metasploit)	(&(&(objectCategory=person)(objectClass=user))(\| (description=pass)(comment=pass)))
enum_ad_computers (Metasploit)	(&(objectCategory=computer)(operatingSystem=server))
enum_ad_groups (Metasploit)	(&(objectClass=group))
enum_ad_managedby_groups (Metasploit)	(&(objectClass=group)(managedBy=)), (&(objectClass=group)(managedBy=)(groupType:1.2.840.113556.1.4.803:=2147483648))
Get-NetComputer (PowerView)	(&(sAMAccountType=805306369)(dnshostname=*))
Get-NetUser – Users (Powerview)	(&(samAccountType=805306368)(samAccountName=*)
Get-NetUser – SPNs (Powerview)	(&(samAccountType=805306368)(servicePrincipalName=*)
Get-DFSshareV2 (Powerview)	(&(objectClass=msDFS-Linkv2))
Get-NetOU (PowerView)	(&(objectCategory =organizationalUnit)(name=*))
Get-DomainSearcher (Empire)	(samAccountType=805306368)

Once you spot anomalies in the queries, it is important to try and search for additional activities that can incriminate that it was indeed done maliciously. Having a suspicious query is often not enough to decide whether an attack is occurring or not.

Having a Good Audit Policy:

Configure 'Audit Policy: Account Management: Application Group Management' to 'success and failure'.

The default configuration of this object in most OS versions is 'No Auditing'. Changing configuration will report each event of application group management on a computer. If you enable this Audit policy setting, administrators can track events to detect suspicious actions. Among others are:

* 4790: An LDAP query group was created.
* 4792: An LDAP query group was deleted.

Why NTLMv1 will always be vulnerable to NTLM Relay attacks

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Preventing LDAP Reconnaissance- The First Step of AD Attacks

What is the difference between LDAP and Active Directory:

LDAP Reconnaissance:

How the attack works:

What can be done to lower the risk for an LDAP Reconnaissance attack:

Detecting Anomalies:

Having a Good Audit Policy:

Subscribe to Email Updates

You might be interested

Experience a personalized demo