Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Active Directory (AD) reconnaissance is easy to perform with a variety of methods. Attack tools can also facilitate AD reconnaissance by running scripts to enumerate network information. AD domain controllers (DCs) that are misconfigured or lacking proper security controls can be vulnerable to enumeration techniques.
Kill Chain
Risk Score
33
Delegation is an AD feature that allows a user or computer account to interact with backend services on behalf of a user. Delegation properties can be configured in the Microsoft Active Directory Users and Computer console, stored on a DC, and accessed through LDAP search queries.
Impacket is an open-source collection of tools and scripts for manipulating packets and network protocols. Impacket includes scripts that enumerate delegation properties from misconfigured DCs. An attacker runs the script to send an LDAP request with specific filters that are designed to retrieve AD accounts with delegation properties. Attackers typically target accounts with unconstrained delegation, which can help them impersonate any computer or service.
Disable unconstrained delegation for computer accounts in the Microsoft Active Directory Users and Computers console
Disable delegation for high-privileged user or service accounts by marking them as sensitive under User Properties in the Microsoft Active Directory User and Computers console
Because securing LDAP servers can be difficult without compromising functionality, monitor and investigate unusual LDAP activity to minimize potential damage
