This LDAP search filter will collect all the accounts, SPNs, group memberships, domains, GPOs, etc. Enumerate all the same data like SharpHound does.
In order to run the LDAP queries, we are going to use the famous tool ADFind. This helps us to understand it much better, which is doing it in practice. We have to do the same thing, as they do. This may indicate reconnaissance activities of an attacker.Īn LDAP query with multiple search filters in one request happens rarely, so it might be an indication of an attacker performing reconnaissance.Īdversaries have been using LDAP to perform reconnaissance, so if we want to understand the techniques of the attackers. However, it is very rare, that a process is running an LDAP query with multiple search filters in one request. (!(UserAccountControl:1.2.840.113556.1.4.803:=2))Īll the accounts in AD, including the one’s that are disabledĪdvanced Hunting provides great visibility in all the LDAP search filters that have been ran by a process. Search FilterĬontains the relative identifier (RID) for the primary group of the user Now we have to understand what data SharpHound collects, so we will look the above LDAP query and split every LDAP search filter into different pieces.
In this example, we can see that, after we ran SharpHound. The great thing is that we can see which LDAP query was ran during the time. Once we ran this data collector, we can see that Microsoft Defender for Endpoint has captured all the LDAP queries that have been ran.Īfter we received the alerts, we have to determine whether it is suspicious behavior or not. SharpHound uses LDAP queries to collect information within Active Directory.
#MICROSOFT LDAP QUERY TOOL HOW TO#
How to make less noise when doing LDAP reconnaissance?.OpSec mistakes attackers make when doing LDAP reconnaissance.Executing LDAP queries by ourselves with ADFind (to understand it better).Determine whether it is LDAP reconnaissance activity or not.I just wanted to give a follow-up by adding some additional information to it and go a bit further with explaining on how we can run LDAP queries by ourselves. This blog post has been inspired by an article from Microsoft, which can be found here. Discovering such kind of reconnaissance activities in an early stage will benefit defenders in stopping a potential intrusion. In overall, LDAP is the protocol to communicate within a directory service.Īdversaries can use the LDAP protocol to perform reconnaissance and gather information that is stored within Active Directory to find attack paths and sensitive accounts with high-privileges. It also provides the communication language that applications require to send and receive information from directory services, such as Active Directory. The primary function of LDAP is to enable folks to find data about users, groups, computers, and much more. Lightweight Directory Access Protocol (LDAP) is one of the core protocols used for directory services.