Andreas Happe: Active Directory: Using LDAP Queries for Stealthy Enumeration
During a recent assumed-breach pen-test assignment I ran into a problem: the customer had an up to date Windows Active Directory environment, CrowdStrike was rolled out as an EDR and a dedicated Incident Response Team was monitoring for alerts.. and I needed some Active Directory Enumeration to be done before I was planning out my next steps. I assumed, which later proved correctly, that just starting BloodHound or GetUserSPN.py would trigger defenders and defences.
How to proceed stealthily? Luckily I found a blog post detailing how to utilize LDAP as stealthy reconnaisance/enumeration tool.
All of the following snippets assume that you have access to a domain-joined workstation as an low-privileged AD user. Running the snippets did not trigger any defense response/detection by the way.
I’ll detail two small example snippets but you can find more inspiration in userful LDAP queries for active directory enumeration. If you want to change the snippets to another example, you mostly have to change $ldapFilter to the desired query and then switch the output statements to the retrieved attributes.
Leave a Comment
Recent Posts
Intel and ExxonMobil working on advanced liquid cooling — laying groundwork for 2000W TDP Xeon chips
Comment
/cdn.vox-cdn.com/uploads/chorus_asset/file/25416369/STK473_NET_NEUTRALITY_CVIRGINIA_A.jpg)
