Caught in the Act: CrowdStrike’s New ML-Powered LDAP Reconnaissance Detections

Early in the cyberattack kill chain, reconnaissance enables attackers to assemble critical network information to plan a tailored attack strategy. In this phase, adversaries aim to map out networks and their users, and locate system vulnerabilities, without setting off alarms. Proactive monitoring and early detection of this activity can disrupt attackers in their tracks and lower the risk of a breach. 

CrowdStrike has pioneered a new approach to detecting early signs of reconnaissance queries using AI. This capability generates Lightweight Directory Access Protocol (LDAP) search signatures to detect early signs of reconnaissance at scale, allowing security teams to quickly identify potentially malicious network activity before it escalates. The underlying model for this feature is rigorously trained on correlated insights from endpoint and identity telemetry, underscoring the value of a unified approach to uncover advanced detections faster, earlier and more efficiently. 

This new feature is now available to all customers of CrowdStrike Falcon® Identity Protection. 

Understanding LDAP and Its Role in Reconnaissance

LDAP is a widely used protocol for querying and managing directory data within Active Directory (AD) environments. This protocol is fundamental to accessing AD data and is often a first target in reconnaissance activities following a network breach, with common open source Active Directory attack tools like SharpHound and Rubeus using LDAP in their operations. 

By design, LDAP allows standard domain users to read directory data without requiring elevated permissions, making it possible for attackers to gather intelligence to plan effective intrusion and lateral movement strategies. For instance, LDAP queries can help attackers identify sensitive group memberships or high-privilege accounts, such as domain admins, across a network. This gives them a list of high-value accounts to target for further infiltration. 

As LDAP is commonly used and can be used by standard domain users, distinguishing malicious queries from legitimate ones can be challenging, underscoring the need for advanced detection methods and behavioral baselining. Some threat hunting solutions provide specific LDAP detection rules, such as zeroing in on admin accounts, domain controllers, service principal names and more. 

Figure 1. Example of an identity attack kill chain Figure 1. Example of an identity attack kill chain

How Existing Detection Methods Fall Short

Current detection methods include rules-based approaches that flag specific types of LDAP searches, such as those targeting sensitive accounts, and signature mapping, which identifies known attack tools. While effective, these methods have limitations:

  • Rules-Based Detection: Although useful for recognizing specific types of LDAP activity, rules-based methods can be very generalized and struggle to differentiate between legitimate and malicious reconnaissance.
  • Signature Mapping: Security teams can perform signature mapping to known attack tools (such as SharpHound, Rubeus, etc.). But while it offers high precision, signature mapping is limited to known attack tools and can miss manual queries, modified attack tool traffic and lesser-known attack methods.

To address these gaps, a more adaptive and scalable solution is needed — one that can identify and respond to unfamiliar or custom-built reconnaissance techniques.

CrowdStrike Thwarts LDAP-based Reconnaissance

By applying machine learning to the challenge of signature mapping, CrowdStrike is able to address the scale, adaptability and precision challenges that limit existing approaches to detecting LDAP reconnaissance. Here’s how CrowdStrike’s new signature mining model works.

First, we built a sample set combining endpoint data (from EDR) and identity data (from LDAP logs), aiming to correlate malicious LDAP queries that occurred in close proximity to malicious endpoint detections for the same users. To rapidly assemble a large training corpus, we took a “weak supervision” approach, a methodology where high-level and noisier sources of supervision are used to create much larger training sets. This builds a training corpus much faster and more efficiently than manual supervision, which may involve labeling examples one by one. 

For an LDAP query to be labeled malicious, it must meet the following criteria: 

  1. Relate to a high-confidence endpoint detection: The LDAP query must be associated with a high-efficacy detection (one with a low false positive rate) or a detection commonly seen with LDAP reconnaissance in the wild, or it must make intuitive sense as an attack path.
  2. Occur within a close time frame of an endpoint detection: The LDAP query must have occurred within a close time frame of an overlapping endpoint detection associated with the same user.
  3. Be uncommon: The query should be relatively uncommon or anomalous for that user to be executing, based on a baseline of that user’s query activity.
Figure 2. How CrowdStrike’s new signature mining model works Figure 2. How CrowdStrike’s new signature mining model works

The resulting sample set consisted of known malicious LDAP queries with high-confidence correlations with endpoint detections. We used this to train the model to perform signature mining, extrapolating new patterns from known malicious LDAP queries. 

First, we take a grouped cross-validation approach, training and testing on separate subsets (or folds) of the sample set. This ensures the model can learn to predict malicious LDAP query patterns instead of repeating memorized (known) patterns. Next, we filter for malicious model predictions above a certain threshold and perform statistical hypothesis testing and family-wise error rate (FWER) exclusion to validate signatures with high-confidence likelihood of maliciousness. This minimizes the chance of false positives. 

Through this approach, CrowdStrike can identify high-precision LDAP reconnaissance signatures and provide accurate alerts with minimal false positives.

Figure 3. Details for detections attributed to LDAP queries Figure 3. Details for detections attributed to LDAP queries
Figure 4. Sample detection in Falcon Identity Protection attributed to a suspicious LDAP search Figure 4. Sample detection in Falcon Identity Protection attributed to a suspicious LDAP search

Staying Ahead of Modern Attacks

Security analysts can use this new feature to tailor their response to suspicious LDAP indicators, such as by manually excluding certain users (e.g., administrators performing routine audits) and restricting certain query types. These customization options allow security teams to adapt the reconnaissance detections to their specific environment, reducing unnecessary alerts while maintaining robust protection. 

By leveraging advanced machine learning delivered through unified identity and endpoint protection, we’re able to predict new and unique LDAP queries, helping organizations stay one step ahead of attackers and shutting down advanced attacks well before a payload is deployed.

Additional Resources

Breaches Stop Here