Presented at
DEF CON 32 (2024),
Aug. 11, 2024, 11 a.m.
(45 minutes).
LDAP is no stranger to the security spotlight. While LDAP is a protocol (Lightweight Directory Access Protocol) and Active Directory is the most popular directory services system that supports a subset of LDAP, the terms “LDAP” and “AD” are tightly coupled when discussing the execution, detection and prevention of attacks targeting directory services data.
In the last decade the widespread offensive value of querying AD data via LDAP was cemented with the release of open-source tools such as BloodHound and PingCastle. However, proper visibility of LDAP queries mostly remains a privileged asset for those organizations with deep pockets, and the commercial security tools providing this visibility are often woefully fixated on simple signature-based detections.
MaLDAPtive is the 2,000-hour (and counting) quest of offensive and defensive LDAP exploration and tool-building. This research includes mind-bending depths of obfuscation across all elements of LDAP queries (many undocumented and most never seen in the wild), all baked into an obfuscation/de-obfuscation/detection framework built upon our ground-up custom LDAP search filter tokenizer and syntax tree parser.
Come witness the release of our MaLDAPtive research and open-source framework: transforming LDAP from “lightweight” to “heavyweight.”
- General LDAP information:
- [link](https://ldapwiki.com/wiki/)
- [link](https://ldap.com/basic-ldap-concepts/)
- LDAP-Related RFCs:
- [link](https://datatracker.ietf.org/doc/html/rfc4511)
- [link](https://datatracker.ietf.org/doc/html/rfc4512)
- [link](https://datatracker.ietf.org/doc/html/rfc4514)
- Official Documentation for Active Directory LDAP Attributes: [link](https://github.com/MicrosoftDocs/win32/tree/docs/desktop-src/ADSchema)
- Blogs Highlighting Offensive LDAP Usage:
- [link](https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb)
- [link](https://www.politoinc.com/post/ldap-queries-for-offensive-and-defensive-operations)
- [link](https://www.binarydefense.com/resources/blog/uncovering-adversarial-ldap-tradecraft/)
- [link](https://www.mdsec.co.uk/2024/02/active-directory-enumeration-for-red-teams/)
- Open-Source Tooling Using LDAP:
- [link](https://github.com/BloodHoundAD/BloodHound)
- [link](https://github.com/vletoux/pingcastle)
- [link](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
- [link](https://github.com/Kevin-Robertson/Powermad)
Presenters:
-
Sabajete Elezaj
- Senior Cyber Security Engineer at Solaris SE
Sabajete Elezaj is a Senior Cyber Security Engineer at Solaris SE with a background in cybersecurity extending over 6 years. Her expertise spans incident response, threat hunting and blue team operations. Her work focuses on enhancing cyber defense strategies.
Mrs. Elezaj holds a Master of Science in Information Security from the University of Tirana. She has also shared her expertise at cybersecurity conferences, including BSides Tirana.
-
Daniel Bohannon / DBO
- Principal Threat Researcher, P0 Labs team at Permiso Security
as Daniel Bohannon
Daniel Bohannon is a Principal Threat Researcher on Permiso Security's P0 Labs team with over 14 years of information security experience, including incident response consulting at MANDIANT, security research at FireEye and threat hunting at Microsoft.
He is the author of the Invoke-Obfuscation, Invoke-CradleCrafter and Invoke-DOSfuscation open-source obfuscation frameworks and co-author of Revoke-Obfuscation and Cloud Console Cartographer.
Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology (2013) and a Bachelor of Science in Computer Science from The University of Georgia (2010).
Similar Presentations: