Inside CrowdStrike’s New ML-Powered LDAP Reconnaissance Detections

Feb 5, 2025 by iHash Leave a Comment

Early in the cyberattack kill chain, reconnaissance enables attackers to assemble critical network information to plan a tailored attack strategy. In this phase, adversaries aim to map out networks and their users, and locate system vulnerabilities, without setting off alarms. Proactive monitoring and early detection of this activity can disrupt attackers in their tracks and lower the risk of a breach.

CrowdStrike has pioneered a new approach to detecting early signs of reconnaissance queries using AI. This capability generates Lightweight Directory Access Protocol (LDAP) search signatures to detect early signs of reconnaissance at scale, allowing security teams to quickly identify potentially malicious network activity before it escalates. The underlying model for this feature is rigorously trained on correlated insights from endpoint and identity telemetry, underscoring the value of a unified approach to uncover advanced detections faster, earlier and more efficiently.

This new feature is now available to all customers of CrowdStrike Falcon® Identity Protection.

Understanding LDAP and Its Role in Reconnaissance

LDAP is a widely used protocol for querying and managing directory data within Active Directory (AD) environments. This protocol is fundamental to accessing AD data and is often a first target in reconnaissance activities following a network breach, with common open source Active Directory attack tools like SharpHound and Rubeus using LDAP in their operations.

By design, LDAP allows standard domain users to read directory data without requiring elevated permissions, making it possible for attackers to gather intelligence to plan effective intrusion and lateral movement strategies. For instance, LDAP queries can help attackers identify sensitive group memberships or high-privilege accounts, such as domain admins, across a network. This gives them a list of high-value accounts to target for further infiltration.

As LDAP is commonly used and can be used by standard domain users, distinguishing malicious queries from legitimate ones can be challenging, underscoring the need for advanced detection methods and behavioral baselining. Some threat hunting solutions provide specific LDAP detection rules, such as zeroing in on admin accounts, domain controllers, service principal names and more.

Source link

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

University of Sunderland Proactively Defends With CrowdStrike

In 2021, the University of Sunderland experienced a devastating ransomware attack that disrupted its services and highlighted vulnerabilities in its security posture. With over 28,000 students relying on its network, the university needed to quickly recover and ensure such an incident wouldn’t happen again. Enter CrowdStrike. CrowdStrike’s Incident Response team worked diligently to eliminate […]

Cybersecurity for Businesses of All Sizes

One of the primary reasons why cybersecurity remains a complex undertaking is the increased sophistication of modern cyber threats. As the internet and digital technologies continue to advance, so do the methods and tools cybercriminals use. This means that even the most secure systems are vulnerable to attacks over time. Detecting and preventing these attacks […]

Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access

Feb 04, 2025Ravie LakshmananVulnerability / Threat Intelligence Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. The package, named github.com/boltdb-go/bolt, is a typosquat of the legitimate BoltDB database module (github.com/boltdb/bolt), per Socket. The malicious […]

Optimizing long-term data retention with Elastic Cloud Hosted: Ensuring compliance and efficiency for government

In the digital era, state and local governments are increasingly tasked with managing vast volumes of data while ensuring compliance with stringent regulatory requirements. These regulations, which can vary significantly depending on jurisdiction, often require the retention of data for extended periods — sometimes ranging from one to seven years. Compliance with standards, such as […]

The Next Chapter in Swift Build Technologies

Swift continues to grow in popularity as a cross-platform language supporting a wide variety of use cases, with support on a variety of embedded devices, form factors that encompass wearables to server, and a wide variety of operating systems. As Swift expands, there’s value in investing in matching cross-platform build tools that provide a powerful, […]

AI Cyber Threat Intelligence Roundup: January 2025

At Cisco, AI threat research is fundamental to informing the ways we evaluate and protect models. In a space that is so dynamic and evolving so rapidly, these efforts help ensure that our customers are protected against emerging vulnerabilities and adversarial techniques. This regular threat roundup consolidates some useful highlights and critical intel from ongoing […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

JBL Flip 6 Portable Bluetooth Speaker (Open Box) for $74

Navee V25 300W Foldable e-Scooter for $299

Smart Tracker Includes Key Ring – Works with Apple Find My App (2-Pack) for $34

Harmony Premium Plan Lifetime Subscription for $99

Lenovo 11.6" 100e Chromebook 2nd Gen (2019) MediaTek MT8173C 4GB RAM 16GB eMMC (Refurbished) for $54

Inside CrowdStrike’s New ML-Powered LDAP Reconnaissance Detections

Understanding LDAP and Its Role in Reconnaissance

JBL Flip 6 Portable Bluetooth Speaker (Open Box) for $74

Navee V25 300W Foldable e-Scooter for $299

Smart Tracker Includes Key Ring – Works with Apple Find My App (2-Pack) for $34

Harmony Premium Plan Lifetime Subscription for $99

Lenovo 11.6" 100e Chromebook 2nd Gen (2019) MediaTek MT8173C 4GB RAM 16GB eMMC (Refurbished) for $54

Understanding LDAP and Its Role in Reconnaissance

Share this:

Reader Interactions

Leave a ReplyCancel reply