Knowing this, we can write a detection that searches for these IOCs in the LDAP search filter.
AD Explorer uses ‘objectGUID=*’ in many of its queries, which is very distinctive of this tool. It turns out that some of the collection tools have very specific filters that can be used as an IoC to detect these tools: The filter used for the LDAP search is available in the AdditionalFields.SearchFilter field. The screenshot below shows an example of an LdapSearch event. LDAP queries are logged to the DeviceEvents table using the ‘LdapSearch’ action type. Microsoft Defender for Endpoint collects LDAP queries performed on monitored endpoints using a user-space ETW provider called ‘ Microsoft-Windows-LDAP-Client’. Domain controller object access logging via SACLs and audit policies.ĭetection method 1 - Client-side LDAP query logging. Domain controller LDAP query logging via Microsoft Defender for Identity. Client-side LDAP query logging via Microsoft Defender for Endpoint. In this article we will discuss three different methods that can be used to detect data collection from Active Directory: This snapshot file can be loaded into BloodHound using the awesome ADExplorerSnapshot.py tool by Cedric van Bockhaven. 
AD Explorer, provided by Microsoft as part of the Sysinternals suite, which can be used to interactively browse an Active Directory, as well as generate a complete snapshot of the Active Directory in a file. SharpHound, which is provided as part of BloodHound and is intended to effectively collect large quantities of data from an Active Directory environment. Popular tools to collect data from Active Directory are: 
The extracted data can be analyzed using tools to find complex paths that allow privilege escalation and lateral movement.
When attackers gain access to a large corporate environment, one of the things they tend to do is extract large quantities of data from Active Directory.
0 kommentar(er)
