cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New preview detection: Security principal reconnaissance (LDAP)

%3CLINGO-SUB%20id%3D%22lingo-sub-356861%22%20slang%3D%22en-US%22%3ENew%20preview%20detection%3A%20Security%20principal%20reconnaissance%20(LDAP)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356861%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20black%3B%22%3EWe%20are%20proud%20to%20introduce%20a%26nbsp%3Bnew%20alert%20in%20preview%20mode%20that%20addresses%20Security%20principal%20reconnaissance%20(LDAP).%26nbsp%3B%20This%20type%20of%20reconnaissance%26nbsp%3Bis%20typically%20used%20by%20attackers%20to%20gain%20critical%20information%20about%20the%20domain%20environment.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20black%3B%22%3ELightweight%20Directory%20Access%20Protocol%20(LDAP)%20is%20one%20the%20most%20popular%20methods%20used%20for%20both%20legitimate%20and%20malicious%20purposes%20to%20query%20Active%20Directory%20and%20is%20commonly%20used%20as%20the%20first%20phase%20of%20a%26nbsp%3B%3CSTRONG%3EKerberoasting%3C%2FSTRONG%3E%26nbsp%3Battack.%20Kerberoasting%20attacks%20are%20used%20to%20get%20a%20target%20list%20of%20Security%20Principal%20Names%20(SPNs)%2C%20which%20attackers%20then%20attempt%20to%20get%20Ticket%20Granting%20Server%20(TGS)%20tickets%20for.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20black%3B%22%3EStarting%20from%20Version%202.67%2C%20Azure%20ATP%20now%20detects%20when%20suspicious%20LDAP%26nbsp%3B%3CSTRONG%3Eenumeration%3C%2FSTRONG%3E%26nbsp%3Bqueries%20are%20made%20or%20when%20queries%20targeted%20to%26nbsp%3B%3CSTRONG%3Esensitive%3C%2FSTRONG%3E%26nbsp%3Bgroups%20that%20use%26nbsp%3Bmethods%20not%20previously%20seen%20are%20observed.%26nbsp%3BIn%20order%20to%20allow%20Azure%20ATP%20to%20accurately%20profile%20and%20learn%20legitimate%20users%2C%20alerts%20of%20this%20type%20are%20only%20triggered%20first%20the%20first%20time%2010%20days%20following%20Azure%20ATP%202.67%20version%20deployment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20black%3B%22%3EFor%20more%20information%20visit%26nbsp%3B%3CU%3E%3CA%20title%3D%22https%3A%2F%2Faka.ms%2Fldaprecon%22%20href%3D%22https%3A%2F%2Faka.ms%2Fldaprecon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22color%3A%20%236888c9%3B%22%3Ehttps%3A%2F%2Faka.ms%2Fldaprecon%3C%2FSPAN%3E%3C%2FA%3E%3C%2FU%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%2010.5pt%3B%20font-family%3A%20'Segoe%20UI'%2Csans-serif%3B%20color%3A%20black%3B%22%3EStay%20tuned%26nbsp%3Bfor%20additional%20alerts%20and%20updates.%26nbsp%3B%20As%20always%2C%20your%20feedback%20is%20welcome.%20%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F84443i7ED256EDB6C25285%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22LDAP%20Recon.png%22%20title%3D%22LDAP%20Recon.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2229190%22%20slang%3D%22en-US%22%3ERe%3A%20New%20preview%20detection%3A%20Security%20principal%20reconnaissance%20(LDAP)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2229190%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20there%20any%20plans%20to%20update%20this%20alert%20to%20include%20what%20actor%20performed%20the%20query%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tali Ash
Microsoft

‎Feb 26 2019 04:03 AM - edited ‎Feb 26 2019 06:05 AM

‎Feb 26 2019 04:03 AM - edited ‎Feb 26 2019 06:05 AM

New preview detection: Security principal reconnaissance (LDAP)

We are proud to introduce a new alert in preview mode that addresses Security principal reconnaissance (LDAP).  This type of reconnaissance is typically used by attackers to gain critical information about the domain environment. 

Lightweight Directory Access Protocol (LDAP) is one the most popular methods used for both legitimate and malicious purposes to query Active Directory and is commonly used as the first phase of a Kerberoasting attack. Kerberoasting attacks are used to get a target list of Security Principal Names (SPNs), which attackers then attempt to get Ticket Granting Server (TGS) tickets for.

 

Starting from Version 2.67, Azure ATP now detects when suspicious LDAP enumeration queries are made or when queries targeted to sensitive groups that use methods not previously seen are observed. In order to allow Azure ATP to accurately profile and learn legitimate users, alerts of this type are only triggered first the first time 10 days following Azure ATP 2.67 version deployment.

 

For more information visit https://aka.ms/ldaprecon

 

Stay tuned for additional alerts and updates.  As always, your feedback is welcome. LDAP Recon.png

3,102 Views
2 Likes
2 Replies
Reply
2 Replies
echavez370

‎Mar 23 2021 12:33 AM - edited ‎Mar 23 2021 12:34 AM

‎Mar 23 2021 12:33 AM - edited ‎Mar 23 2021 12:34 AM

Re: New preview detection: Security principal reconnaissance (LDAP)

Are there any plans to update this alert to include what actor performed the query? It's very unhelpful to say "an actor on server sent a suspicious LDAP query" without specifying the actor. @Tali Ash 

0 Likes
Reply
Eli Ofek

‎Mar 24 2021 01:44 AM

‎Mar 24 2021 01:44 AM

Re: New preview detection: Security principal reconnaissance (LDAP)

We don't have the actor as this is happening using the machine account.
If you have MDE on the machine you might have more data to cross with to find the actor.
0 Likes
Reply