Once an adversary has access to the network, they’re going to begin the internal reconnaissance or ‘discovery’ phase to identify what level of access they have.
There are several ways to achieve this, which Vectra AI offers strong detection coverage for out of the box, but a prominent way is by querying active directory over LDAP (Lightweight Directory Access Protocol) which is an industry standard and a default protocol for Active Directory servers. Using LDAP we can identify computers, accounts, groups and applications within the domain.
Using this information, we can quickly identify targets of interest, why waste your time cracking passwords if the accounts won’t give you the permissions you need to RDP from your current host to the domain controller? Common tools that leverage LDAP include Bloodhound, Sharphound and ADFind.
Signs of a Suspicious LDAP Query
- This host is querying Active Directory using the LDAP protocol in a manner that appears like reconnaissance behavior
- The LDAP queries are either unusually broad in scope or are specifically targeting accounts and groups that have names which imply administrative privilege
- The threat score is driven by the volume of returned objects across the suspicious queries observed: a high volume of returned objects leads to a higher score and a low volume leads to a lower score
- The certainty score is driven by the number of suspicious queries observed: hosts that make multiple suspicious queries will have a higher certainty
Why Attackers Query LDAP
- An attacker is active inside the network and is mining information from one or more Active Directory servers in order to build a better map of assets in the network
- An admin is retrieving information from AD in order to complete a certain task or create a report
- An auditing application installed on this host is retrieving information from AD as part of its core functionality
Business Impact of a Suspicious LDAP Query
- A scan of information in an Active Directory server is an effective way for an attacker to determine what accounts are privileged inside an organization’s network and what the names of servers and infrastructure components are
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
How to Investigate a Suspicious LDAP Query
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
- nquire whether the host should be making the queries listed in the detection
- If the LDAP queries continue and remain unexplained, determine which process on the internal host is making the queries; in Windows systems, this can be done using a combination of netstat and tasklist commands