LDAP in Active Directory
Status: Scaffold — content in progress
LDAP (Lightweight Directory Access Protocol) is the protocol used to read and write data in Active Directory. Attackers use LDAP extensively for enumeration and ACL manipulation.
Overview
AD exposes LDAP on:
- Port 389: LDAP (unencrypted, or STARTTLS)
- Port 636: LDAPS (SSL/TLS)
- Port 3268: Global Catalog LDAP
- Port 3269: Global Catalog LDAPS
Key Concepts
Distinguished Name (DN)
Every AD object has a DN: CN=John Smith,OU=Users,DC=corp,DC=local
LDAP Queries (Filters)
Used by BloodHound, PowerView, and LDAP clients for enumeration:
(objectClass=user)
(&(objectClass=user)(adminCount=1))
(servicePrincipalName=*)
(userAccountControl:1.2.840.113556.1.4.803:=4194304) ← DONT_REQ_PREAUTH
Access Control Lists (ACLs)
Every AD object has a DACL (Discretionary ACL) defining which principals have which permissions:
GenericAll→ Full controlGenericWrite→ Write any attributeWriteDACL→ Modify the object's ACL — can grant yourselfGenericAllWriteOwner→ Take ownershipForceChangePassword→ Reset password without knowing current
These are the primitives for ACL abuse attacks.
Attack Uses of LDAP
| Use | Tool | Purpose |
|---|---|---|
| Enumeration | BloodHound, PowerView | Identify attack paths, over-privileged accounts, misconfigured ACLs |
| ACL manipulation | PowerView, AD module | Grant permissions to controlled accounts |
| Targeted attribute writes | LDAP directly | Set msDS-AllowedToActOnBehalfOfOtherIdentity for RBCD |
| SPN manipulation | LDAP/Set-ADUser | Set SPNs on accounts for Kerberoasting |
Telemetry
| Event ID | Description |
|---|---|
| 4662 | Object access audit (requires SACL on object) |
| 1644 | Expensive / inefficient LDAP query (AD diagnostic logging) |
| Microsoft-Windows-LDAP-Client/Debug | Client-side LDAP query tracing |
| MDI (Defender for Identity) | Detects LDAP enumeration patterns |
Cross-Links
| Topic | Link |
|---|---|
| ACL Abuse | acl-abuse |
| AD Overview | ad-overview |