When an attacker initially compromises a system on a network, they will have little to no privileges within the domain. However, once an attacker has infiltrated any domain-joined computer, they are able to query Active Directory (AD) and its objects using Lightweight Directory Access Protocol (LDAP), allowing them to locate sensitive accounts and assets to target in their attack.
LDAP Reconnaissance is difficult to detect. Due the architecture of AD, searching AD for privileged information rarely requires privileged access rights.
Monitor for LDAP activity that is used by the attack path mapping tool BloodHound to show attackers how to move laterally across the network towards higher value targets.
LDAP reconnaissance is impossible to stop entirely, due to the design of Active Directory. However, it is important to make sure secure data is protected and safe from LDAP queries.
APPROACH
Sensitive Object & Attribute Permissions
DESCRIPTION
Ensure objects and attributes that should be protected (e.g. the ms-Mcs-AdmPwd attribute) are secured and cannot be exported through LDAP.