Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Enumeration is a simple yet important step taken by attackers before or during a network compromise. This type of scan is easy to perform and can quickly reveal service names to attackers. While this scan typically does not negatively affect the network, this technique helps attackers discover services and take the next step in an attack campaign.
Kill Chain
Risk Score
37
When an attacker discovers the domain controller (DC) or LDAP servers on a network, they can discover, or enumerate, a list of network services by acquiring server principal names (also known service principal names or SPNs) from the DC. A server principal name is a unique identifier that represents a service (such as email or remote file management) that can span multiple servers. The attacker sends a specific type of LDAP request to the DC, and receives a list of every SPN stored on that DC. With this information, the attacker can target specific services in subsequent attacks.
Limit domain object privileges to reduce the information users can enumerate through scans and tools such as Bloodhound
Require LDAP signing, which prevents non-domain users from querying the LDAP server
Strictly manage the users and groups with domain permissions that allow users to replicate information from a domain controller (DC)
Because securing LDAP servers can be difficult without compromising functionality, monitor and investigate unusual LDAP activity quickly to minimize potential damage
