Showing Posts About

LDAP

Introducing LDAP C2 for C3

A new Command & Control (C2) channel for C3 has been introduced using LDAP for covert communication within networks. The technique enables lateral movement by leveraging user attributes with minimal account compromise. A quick start guide is provided to help deploy LDAP-based C2 channels in network environments.

Attack Detection Fundamentals: Discovery and Lateral Movement - Lab #1

This article explores attack detection techniques for discovering valuable users in an Active Directory environment. It demonstrates methods for identifying kerberoastable and AS-REP roastable users through LDAP queries using tools like Rubeus and SharpSploit. Event Tracing for Windows (ETW) logging is used to capture and analyze reconnaissance activities in a cybersecurity lab setting.

  • 6 Nov 2019

OU having a laugh?

A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.

Visualising Organisational Charts from Active Directory

This article demonstrates techniques for extracting and visualizing organizational hierarchies from Active Directory using tools like Metasploit, SQLite, and Neo4j. The methods enable mapping of reporting structures and relationships within an organization by converting Active Directory data into a graph database. Complex queries about organizational relationships can be performed dynamically, revealing management chains and reporting structures.

Offline SQL Querying of Active Directory

ADOffline is a tool that converts Active Directory LDAP data into a SQLite database for offline analysis. It enables cybersecurity professionals to perform detailed reconnaissance by querying domain users, groups, and computers without maintaining a live connection to the domain controller. The tool supports complex SQL queries and provides intuitive views to explore Active Directory information.

Memory Allocation: How injecting into your own tools might help you compromise a Windows domain

ADEGrab is a memory injection tool designed to extract search results from Sysinternals' AD Explorer by directly accessing the application's memory. The tool allows penetration testers to copy search results from Active Directory exploration tools that do not natively support result export. It uses Windows API calls to read and manipulate memory within the AD Explorer process, enabling users to capture and save search results.