New Video from @BlackHatOfficialYT Explores LDAP Protocol and Cybersecurity

In this video, Daniel Bohanan and Sabaya, two cybersecurity experts, delve into the Lightweight Directory Access Protocol (LDAP) and its implications for information system security. They discuss techniques for obfuscating and deobfuscating LDAP queries, as well as methods for detecting malicious activities. Daniel Bohanan, principal threat researcher at Per Social Security, and Sabaya, senior cyber security engineer at Solaris, begin with an introduction to LDAP and Active Directory. They explain that LDAP is a protocol used to query and modify directory services, such as Microsoft's Active Directory. They emphasize the importance of understanding this protocol for defenders, as many offensive and defensive tools use it to extract sensitive information. The presenters break down an LDAP query into four main components: the base object, scope, filter, and attribute selection. They focus primarily on the filter, which is often used for detection capabilities. They explain that the filter is composed of five required tokens: the beginning and end of the group, the attribute, its value, and the comparison operator. They also introduce operational tokens such as the bitwise operator and extensible match filter. Next, they dive into obfuscation techniques. They show how attackers can manipulate attributes, comparison operators, boolean operators, and extensible match filters to hide their intentions. For example, they demonstrate that attributes can be modified using case notations, object identifiers, and ambiguous name resolutions. They also explain how comparison operators can be manipulated to create logically equivalent presence and range filters. The presenters discuss boolean operators, particularly the NOT operator, which can be used to create complex logical inversions. They show how attackers can use techniques like double negation and De Morgan's laws to obfuscate their queries. They also explain how extensible match filters can be broken down into subgroups to complicate detection. For defenders, they emphasize the importance of LDAP query visibility. They mention that client-side and server-side logs are essential for detecting malicious activities. They explain that client-side logs can be bypassed using SOAP queries, while server-side logs can normalize and extend filters in unpredictable ways. They then introduce Maladaptive, an open-source framework they developed to analyze, enrich, and detect LDAP queries. They explain that Maladaptive uses a state parser in C for optimal performance and a PowerShell wrapper for flexibility. They show how the parser can tokenize an LDAP query string, enrich the tokens with decodings and enumerations, and organize the tokens into syntax trees for deeper analysis. The presenters demonstrate the use of Maladaptive with several practical examples. They show how the framework can detect malicious queries using predefined detection rules. They explain that the detection rules are accompanied by scores and explanations, making it easier to interpret the results. In conclusion, they emphasize that LDAP is still used by attackers and that defenders must be aware of obfuscation techniques to better protect their systems. They encourage the security community to explore new methods for obtaining LDAP telemetry and to use tools like Maladaptive to analyze and detect malicious activities. Finally, they share their favorite Albanian proverbs to inspire the community to work together and help others advance in the field of cybersecurity.