Principal Analyst of Cyber Defense Center, BI.ZONE
Once a user account is compromised, an intruder has a foothold to attack the Active Directory domain. One of the primary tasks of the attacker at this stage is to collect information about domain objects for privilege escalation. While there is a great variety of enumeration tools, all of them, however, use LDAP to access the Active Directory database and the RPC mechanism to communicate with other Windows hosts.
This report describes the methods for collecting LDAP and RPC telemetry as well as methods for detecting anomalous and malicious activity based on the collected events. The proposed approach makes it possible to detect the use of popular hacking tools and some attacks that are difficult to spot when applying other telemetry sources.