Suspicious LDAP (Lightweight Directory Access Protocol) queries are often indicative of reconnaissance activities within a network. Attackers use LDAP queries to enumerate and gather information about users, groups, computers, and other directory objects within an Active Directory environment. This detection identifies abnormal LDAP query patterns that deviate from typical usage, potentially signaling malicious intent.
Once an adversary has access to the network, they’re going to begin the internal reconnaissance or ‘discovery’ phase to identify what level of access they have.
There are several ways to achieve this, which Vectra AI offers strong detection coverage for out of the box, but a prominent way is by querying active directory over LDAP (Lightweight Directory Access Protocol) which is an industry standard and a default protocol for Active Directory servers.
Using LDAP we can identify computers, accounts, groups and applications within the domain. Using this information, we can quickly identify targets of interest, why waste your time cracking passwords if the accounts won’t give you the permissions you need to RDP from your current host to the domain controller?
Common tools that leverage LDAP include Bloodhound, Sharphound and ADFind.
Scenario 1: An internal host is observed making a high volume of LDAP queries targeting user account details. Further investigation reveals that the host has been compromised, and the attacker is using it to gather information about user accounts for potential password attacks.
Scenario 2: A non-administrative account is found performing LDAP queries during off-hours. The queries are traced back to a script running on a misconfigured server, leading to excessive directory enumeration activities.
If this detection indicates a genuine threat, the organization faces significant risks:
Unauthorized access to directory information can provide attackers with details about network structure, user accounts, and other critical data.
Enumerated accounts may be targeted for credential theft, leading to potential privilege escalation.
Information gathered through LDAP queries can aid attackers in planning and executing more sophisticated attacks, such as lateral movement and data exfiltration.
Examine logs for the volume, frequency, and types of LDAP queries performed. Tools like Windows Event Viewer or SIEM solutions can be used for this.
Identify the source of the LDAP queries. Verify if the originating host and user account are authorized to perform such queries.
Use network analysis tools to inspect the network traffic associated with the LDAP queries. Look for any anomalies or signs of malicious activity.
Coordinate with relevant teams to determine if any legitimate administrative tasks or security assessments were being performed that could explain the queries.