This article provides a practical guide to developing a detection strategy for Lightweight Directory Access Protocol (LDAP)-based attacks. We analyze real-world examples of nation-state and cybercriminal threat actors abusing LDAP attributes. We also examine common LDAP enumeration queries and assess their potential risks.
LDAP is a powerful protocol for accessing and managing directory services like Active Directory. LDAP is commonly used by criminals for lateral movement and critical assets enumeration in on-premises cyberattacks. Threat actors also frequently use tools like BloodHound and SharpHound, which leverage LDAP for malicious purposes.
Distinguishing benign from malicious LDAP activity within an organization is challenging. The high volume of benign event logs generated by a domain controller makes collecting as well as detecting malicious LDAP activity extremely difficult.
Palo Alto Networks customers are better protected against LDAP-based attacks through Cortex XDR, XSIAM and Xpanse, which we detail further in the Conclusion.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
LDAP is a fundamental protocol used across nearly every Windows environment, enabling administrators to access directory services like Active Directory. This protocol is used for managing users and groups, as well as allowing applications to query directory data in the background. Although developed by Microsoft and primarily used in Windows environments, LDAP is vendor-agnostic and can be used on non-Windows systems like macOS and Linux.
Threat actors often use LDAP because its functionality is so useful. Advanced persistent threat (APT) groups and other adversaries often use LDAP for network enumeration during the discovery phase of an attack. Attackers query directories to extract sensitive information such as user accounts, group memberships and permissions, which they then use to escalate privileges and target critical assets.
LDAP has evolved significantly since its introduction in the early 1990s, adapting to the changing needs of directory services and security challenges. Below are two examples of changes in the more recent versions of LDAP:
Tools like BloodHound and its C# data collector, SharpHound, have evolved alongside these protocols to visualize and analyze Active Directory environments. SOAPHound builds on these advancements by using ADWS to enumerate Active Directory data.
The high volume of log data generated by LDAP can overwhelm detection systems and make it difficult to identify malicious activity. It generates so much log data because it is used by many systems and applications.
Common processes like Outlook generate LDAP logs for example, highlighting the protocol's extensive role in directory services. This pervasive use means that malicious LDAP activity can get lost amid the noise of normal operations.
To manage LDAP log volume effectively, focus on filtering relevant data, such as:
To address these challenges, Windows offers native logging of LDAP activity from the following sources:
This section provides real-world examples of attackers using LDAP enumeration tools against Active Directory environments.
As part of a campaign targeting government entities in Southeast Asia from 2021 to 2023, Stately Taurus was linked to the use of AdFind during the reconnaissance stage of the attack.
AdFind is a command-line query tool that can be used for LDAP enumeration by gathering information from an Active Directory domain controller. During the attack, threat actors renamed the tool from adfind.exe to a.logs in an attempt to evade detection.
Figure 3 shows a screenshot from a Cortex XDR alert in which the threat actor attempted to save the results of an AdFind query to the following filenames:
Affiliates of the BlackCat (ALPHV) ransomware group, which we track as Ambitious Scorpius, have used ADRecon in multiple intrusions. ADRecon is a PowerShell script that uses LDAP to gather information about an Active Directory environment and generates a report that provides a snapshot of the targeted network.
Due to this group's continued use of ADRecon, we assess that the tool could be a part of the Ambitious Scorpius playbook. Figure 4 shows a Cortex XDR alert on the detection and prevention of ADRecon activity.
In April 2024, The DFIR Report described an intrusion that involved IcedID malware and Dagon Locker ransomware. During this intrusion, the attackers used SharpHound to collect data about the Active Directory environment.
SharpHound is a data collector component of BloodHound. It uses Windows API and LDAP functions to collect data from domain controllers and Windows systems that are part of the domain. Figure 5 shows the detection and prevention of SharpHound in Cortex XDR.
Detecting LDAP-based attacks effectively involves monitoring LDAP logs for suspicious activity. Event logs capture crucial data, including:
Legitimate LDAP queries typically target specific objects or attributes, resulting in fewer visited and returned entries. On the other hand, enumeration attempts use broader queries as attackers seek to collect as much information as possible by querying all users, computers or groups.
Below are key detection strategies to help identify and mitigate LDAP enumeration attempts:
1. Visited and returned entries
Review logs for Event ID 1644 events for both visited and returned entries.
2. User context
Analyzing LDAP queries for user context can also reveal enumeration activity:
3. Baseline and anomalies
Establishing a baseline for LDAP query data can help reveal anomalies or deviations from standard user and machine behavior. This strategy has three components:
4. LDAP query filters
Since attackers use diverse LDAP query filters to extract directory data, a wide variety of these filters in LDAP query logs often point to enumeration activity. The type of LDAP query filter can reveal the type of enumeration. Some common types of LDAP enumeration that are important to monitor include:
Attackers commonly use the following attributes in LDAP queries:
Appendix A shows an example of an XQL query in Cortex XDR to track the above LDAP attributes.
Figure 6 displays a table detailing examples of LDAP attributes, including their definitions and potential implications for security.
LDAP is a double-edged sword in Active Directory. It is essential for administration yet vulnerable to exploitation. While LDAP simplifies directory management, attackers can exploit its powerful querying capabilities to gather sensitive information.
This article highlights the challenges of detecting malicious LDAP activity. It also provides real-world examples of LDAP enumeration attacks, along with practical detection tips.
Understanding and monitoring LDAP enumeration, coupled with robust detection strategies, is essential to mitigating risks and securing directory services.
For Palo Alto Networks customers, our products and services provide the following coverage:
If you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
The following XQL query in Cortex tracks LDAP query attributes commonly targeted by attackers:
LDAP queries retrieve directory objects like users, groups or computers based on specific filters. This section provides examples of query filters that system administrators can use for legitimate purposes, but that adversaries could also use for malicious purposes.
For example, to find all user accounts in an Active Directory environment, we can use the following query filter:
Additionally, we can refine queries to target specific needs by adding more attributes to the query filter. For example, to find users in privileged groups, we can use this LDAP query filter:
The above examples use the & symbol, which is a logical AND operator and means all the specified conditions must be met. LDAP supports logical operators for advanced filtering:
Attackers have an array of tools at their disposal for LDAP enumeration. Figure 7 depicts some of these key tools. Figure 7 also shows examples of queries each tool can execute:
Each tool facilitates different types of LDAP queries that attackers use to map Active Directory environments, helping them identify key targets such as service accounts and privileged users.
Understanding the nature of LDAP enumeration queries that attackers use is critical for detecting malicious activity in Active Directory environments. Here are some common queries and their potential risks: