When an attacker manages to break into an on-premises domain environment, one of the first steps they normally take is to gather information and perform domain reconnaissance. Reconnaissance involves identifying the users, resources and computers in the domain and then building an understanding of how those resources are used to form your domain environment.  


While an attacker can gather data without credentials, research has revealed that most of the time, attackers make use of normal, non-privileged, domain user rights to make their moves. 


recon1.pngFigure 1 - Bloodhound generated graph used to find a Domain Admin (source: https://wald0.com/?p=68)


How do LDAP-based attacks succeed if security is in place?  


In most environments, every account in the domain has the permissions needed to perform reconnaissance using the LDAP protocol, and LDAP is deployed as a default part of domain controller services. With the default configuration in place, any domain user can retrieve domain configurations, such as where exchange servers are installed, or get account related details, such as Domain Admin group membership lists, as well as details about which account can delegate authentication, what users have a Kerberos principal name, and more. 


Aside from user accounts, most on-premises domain services use LDAP as a key element for their basic functionality, and group policies are sent to every domain computer over LDAP.   


Attackers are known to use LDAP queries to visually map the domain environment using publicly available tools, such as PowerView and BloodHound to implement queries. These tools help get all users, groups, computer accounts and account access control lists (ACL) in the environment. Once the data collected is parsed, it is stored in a graph database and used to build a visual graph that displays the edges between the different accounts, helping the attackers determine and plan their moves laterally in the domain. 


Adding standard user account risk to LDAP group policy exposure, you can quickly start to see where LDAP is a potential attack gold mine. By exploiting your LDAP exposure and risk points, attackers find sensitive groups memberships, vulnerable services and map domain account relationships by exploiting any user permissions they can breach or find in your domain. 


A single point of failure on a standard user account can be the start of a large-scale breach.


There are also other types of attacks that can be initiated with an LDAP query. Attackers can initiate an internal phishing campaign by enumerating users in Finance or IT groups, harvest private phone numbers that allow them to send phishing links by text message, and find local administrators on end-points computers by retrieving and parsing group polices.


With so many methods and possible attack surfaces, can your domain be protected from LDAP risks?




To protect your domain, your organization must be able to:

  1. Define and differentiate between legitimate and malicious activity
  2. Identify and investigate activity sources and intentions
  3. Correlate related activities from the same sources
  4. Discover and remediate compromised accounts


Unprotected LDAP risks leave your entire organization at risk.


Backed by deep data learning modules, Azure Advanced Threat Protection now provides comprehensive LDAP alerts that learn and surface abnormal activities, identify and aid investigation of attack sources, provides correlation of events and suggest remediation steps for compromised accounts.


recon2.pngFigure 2 - Azure Advanced Threat Protection Security principal reconnaissance (LDAP) alert


As our security research team continues to develop and refine our threat protection modules and alerts, we welcome your feedback about our work and the security threats and attacks you encounter. We’re excited to hear from you and learn how we can help. 



Get Started Today


If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

Senior Member
Are there any normal activities on a domain-joined laptop that would generate this alert? I am trying to determine if querying the domain admins group would ever not be malicious activity.

Eric, there are services that run commands to query sensitive groups including "Domain Admins". For example Exchange services run this query for legitimate use getting the account who may manage the service. Therefore, not any query to Domain Admin is a malicious activity and Azure ATP will alert on suspicious queries which are less common in the environment.

Senior Member
We are receiving these alerts for a few of our laptops querying domain admins and another sensitive security group both of which are in the local admins group on the laptop , oddly when I check other laptops are querying these groups but no alerts are generated for them. I am seeing both LDAP and SAMR queries for those groups. It seems that the ones that are triggering the alert are laptops used by users who tend to work remotely and not connected to the network as much as the others who are not alerting. Also, it seems that it happens every 30 days and is not constantly happening. I would expect that with recon attack they would be trying to query all sensitive groups which is not happening, no queries to enterprise admins, backup operators etc.. Would a domain-joined laptop of a normal user who doesn't perform any IT task query these 2 groups as part of any normal process on the laptop that would occur once every 30 days? Is there a misconfiguration that could cause this? Any insights would be greatly appreciated as I have checked the laptops I have been alerted for and I have not found any malicious tools or malware that would cause this. I really don't know what other steps I should take to determine the cause of this.