“欺骗防御”|使用AD诱饵检测LDAP枚举和Bloodhound

1.Sharphound collector LDAP queries

https://github.com/BloodHoundAD/SharpHound/blob/41516e778ea186e144e4494f2e070cdb9aa878b9/Sharphound2/Enumeration/LdapFilter.cs#L58

(|(|(samaccounttype=268435457)(samaccounttype=268435456)(samaccounttype=536870913)(samaccounttype=536870912)(primarygroupid=*))(&(sAMAccountType=805306369)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870913)(samAccountType=536870912)(objectClass=domain)(&(objectcategory=groupPolicyContainer)(flags=*))(objectcategory=organizationalUnit))(objectclass=domain)(|(samaccounttype=268435456)(samaccounttype=268435457)(samaccounttype=536870913)(samaccounttype=536870912)(samaccounttype=805306368)(samaccounttype=805306369)(objectclass=domain)(objectclass=organizationalUnit)(&(objectcategory=groupPolicyContainer)(flags=*)))(|(&(&(objectcategory=groupPolicyContainer)(flags=*))(name=*)(gpcfilesyspath=*))(objectClass=domain)(objectcategory=organizationalUnit))(&(serviceprincipalname=*)(samaccounttype=805306368)))

2.检测

- 创建诱饵计算机、用户、组帐号

- 开启Directory Service Access高级审核策略（4662）

    auditpol /set /subcategory:”Directory Service Access” /Success:Enable

- SIME搜索4662中的ACCOUNT Name字段。

3.原理

主要是利用Sharphound的默认LDAP查询（“查询所有对象”）。

Source：

https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644

往期精选

围观

威胁猎杀实战（六）：横向移动攻击检测

热文

全球“三大”入侵分析模型

热文

实战化ATT&CK：威胁情报

本文始发于微信公众号（天御攻防实验室）：“欺骗防御” | 使用AD诱饵检测LDAP枚举和Bloodhound