Suspicious LDAP Query

Suspicious LDAP Query

Detection overview

Suspicious LDAP (Lightweight Directory Access Protocol) queries are often indicative of reconnaissance activities within a network. Attackers use LDAP queries to enumerate and gather information about users, groups, computers, and other directory objects within an Active Directory environment. This detection identifies abnormal LDAP query patterns that deviate from typical usage, potentially signaling malicious intent.

Once an adversary has access to the network, they’re going to begin the internal reconnaissance or ‘discovery’ phase to identify what level of access they have.

There are several ways to achieve this, which Vectra AI offers strong detection coverage for out of the box, but a prominent way is by querying active directory over LDAP (Lightweight Directory Access Protocol) which is an industry standard and a default protocol for Active Directory servers.

Using LDAP we can identify computers, accounts, groups and applications within the domain. Using this information, we can quickly identify targets of interest, why waste your time cracking passwords if the accounts won’t give you the permissions you need to RDP from your current host to the domain controller?

Common tools that leverage LDAP include Bloodhound, Sharphound and ADFind.  

Detection Profile

Triggers

  • This host is querying Active Directory using the LDAP protocol in a manner that appears like reconnaissance behavior
  • The LDAP queries are either unusually broad in scope or are specifically targeting accounts and groups that have names which imply administrative privilege

Possible Root Causes

  • An attacker is active inside the network and is mining information from one or more Active Directory servers in order to build a better map of assets in the network
  • An admin is retrieving information from AD in order to complete a certain task or create a report • An auditing application installed on this host is retrieving information from AD as part of its core functionality

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
  • Inquire whether the host should be making the queries listed in the detection
  • If the LDAP queries continue and remain unexplained, determine which process on the internal host is making the queries; in Windows systems, this can be done using a combination of netstat and tasklist commands

Business Impact

  • A scan of information in an Active Directory server is an effective way for an attacker to determine what accounts are privileged inside an organization’s network and what the names of servers and infrastructure components are
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Suspicious LDAP Query

Possible root causes

Malicious Detection

  • An attacker attempting to gather information about the network environment and directory services for later stages of an attack.
  • Compromised credentials being used to perform unauthorized directory enumeration.
  • Malware or tools like BloodHound being used to map out the Active Directory structure.

Benign Detection

  • Security or network auditing tools performing legitimate scans.
  • Misconfigured applications or scripts generating excessive LDAP queries.
  • Administrative tasks that involve bulk LDAP queries during system maintenance or upgrades.
Suspicious LDAP Query

Example scenarios

Scenario 1: An internal host is observed making a high volume of LDAP queries targeting user account details. Further investigation reveals that the host has been compromised, and the attacker is using it to gather information about user accounts for potential password attacks.

Scenario 2: A non-administrative account is found performing LDAP queries during off-hours. The queries are traced back to a script running on a misconfigured server, leading to excessive directory enumeration activities.

Suspicious LDAP Query

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Exposure of Sensitive Information

Unauthorized access to directory information can provide attackers with details about network structure, user accounts, and other critical data.

Increased Risk of Credential Theft

Enumerated accounts may be targeted for credential theft, leading to potential privilege escalation.

Preparation for Further Attacks

Information gathered through LDAP queries can aid attackers in planning and executing more sophisticated attacks, such as lateral movement and data exfiltration.

Suspicious LDAP Query

Steps to investigate

Suspicious LDAP Query

MITRE ATT&CK techniques covered

FAQs

What is a Suspicious LDAP Query?

How can I detect a Suspicious LDAP Query in my network?

What are the common signs of a Suspicious LDAP Query?

Why are Suspicious LDAP Queries a significant threat?

Can legitimate software trigger this detection?

What steps should I take if I detect a Suspicious LDAP Query?

How does Vectra AI identify Suspicious LDAP Queries?

What tools can help verify the presence of a Suspicious LDAP Query?

What is the business impact of a Suspicious LDAP Query?

How can I prevent Suspicious LDAP Queries?