Hunting for LDAP Enumerations (Bloodhound_Sharphound)

Hunting for LDAP Enumeration via BloodHoundBloodHound is a powerful tool used by attackers to visualize and plan attacks on Active Directory environments. Its ability to enumerate LDAP and generate a comprehensive domain map makes it a critical threat to monitor. Here’s how to detect and mitigate its use, focusing on the use of SharpHound for data collection.

Attack Workflow

1. SharpHound Enumeration:

   • The attacker runs SharpHound on a compromised system.

   • It queries LDAP for extensive domain information and generates a ZIP file.

2. Data Analysis:

   • The ZIP file is transferred to the attacker’s system.

   • Loaded into BloodHound, it visualizes domain structure and identifies potential attack paths, including paths to privileged accounts like Domain Admins.

Detection Techniques

LDAP enumeration is difficult to distinguish from legitimate usage because LDAP queries are integral to Active Directory operations. However, detection becomes feasible by focusing on Event ID 4662 and using CANARY objects.

Key Event to Monitor

• Event ID 4662: Logged when LDAP queries access objects in Active Directory.

  Indicators of Suspicious LDAP Enumeration:

  1. High Volume of Events in a Short Time:

     • Hundreds of events with Event ID 4662 from the same user account indicate automated enumeration.

  2. Access to CANARY Objects:

     • These are fake objects (users, groups, computers) placed in the directory. Any access to these objects should raise immediate alerts.

Event Analysis

Below is an example from Event ID 4662 during SharpHound enumeration:

Example Event Details:

• User: cyberjunkie

• Object Accessed: dr strange (CANARY user)

• Operation Type: LDAP query.

Analyzing multiple such events:

1. Timestamps:

   • Events generated within milliseconds of each other from the same account indicate automation.

2. Target Objects:

   • Access to CANARY objects like Test (fake computer) reinforces suspicion of enumeration.

Query Example for SIEM

Use the following filters to detect LDAP enumeration:

EventID=4662 AND ObjectName IN ('CANARY-User1', 'CANARY-Computer1', 'CANARY-Group1')

Additional Indicators:

• Multiple 4662 events in rapid succession for legitimate objects but originating from a single user account.

Mitigation Steps

1. Deploy CANARY Objects:

   • Create fake users, groups, and computers with realistic names.

   • Enable auditing for these objects to detect any access.

2. Monitor Privileged Accounts:

   • Limit the use of accounts that can query LDAP extensively.

   • Restrict permissions for regular users to prevent them from performing extensive LDAP queries.

3. Prevent Session Enumeration:

   • Apply Group Policy to limit access to sensitive resources and enforce strong access controls.

4. Audit and Alert on Suspicious Queries:

   • Set up alerts for spikes in Event ID 4662.

   • Focus on patterns of access indicating automated tools.

5. Educate and Train Admins:

   • Ensure system administrators understand the risks and do not inadvertently grant unnecessary permissions to service accounts or users.

Key Points

By carefully monitoring Event ID 4662 and leveraging CANARY objects, defenders can effectively detect LDAP enumeration attacks like those performed using BloodHound. Combining detection strategies with proactive mitigation steps will strengthen Active Directory defenses and limit opportunities for privilege escalation.