MaLDAPtive：深入剖析 LDAP 混淆、反混淆和检测.pdf

1、Diving Deep into LDAP(|(Obfuscation,Deobfuscation&=De*te)(!c=tion)USA 2024Sabajete Elezaj(Sabi)&Daniel Bohannon(DBO)DANIEL BOHANNONPRINCIPAL THREAT RESEARCHERdanielhbohannondanielhbohannondanielbohannon/Invoke-Obfuscation/Invoke-CradleCrafter/Invoke-DOSfuscation/Revoke-ObfuscationUSA(5 yrs)(2 yrs)(2

2、 yrs)“DBO”akaPermiso-io-tools/CloudConsoleCartographerSABAJETE ELEZAJSENIOR CYBER SECURITY ENGINEERsabi_elezisabajete-elezajAlbania“SABI”akaGovernment(1 yr)Consulting(3 yrs)Engineering(3 yrs)IntroductionLDAP OverviewPROBLEM:Obfuscating LDAPSOLUTION:Parse,Enrich,DetectMaLDAPtive Tool Demo+Release 199

3、8 OpenLDAP developed by OpenLDAP Project 2000 Microsoft released Active Directory(AD)Ensured compliance of AD with LDAP!Back to the 1980s X.500 directory services X.500 Directory Access Protocol(DAP)1993-1997“Lightweight”Directory Access Protocol(LDAP)v1-3 Used the simpler TCP/IP protocol stackHisto

4、ry 1998 OpenLDAP developed by OpenLDAP Project 2000 Microsoft released Active Directory(AD)Ensured compliance of AD with LDAP!Back to the 1980s X.500 directory services X.500 Directory Access Protocol(DAP)1993-1997“Lightweight”Directory Access Protocol(LDAP)v1-3 Used the simpler TCP/IP protocol stac

5、kHistoryFuturehttps:/ldap.or.kr/wp-content/uploads/2017/07/%EA%B7%B8%EB%A6%BC3.png Open-source tools for LDAP visibility(defensive&offensive usages)2015 PowerView(harmj0y)2016-Bloodhound(SpecterOps)2017 PingCastle(Vincent Le Toux)Back to theLogs?Future How to get LDAP logs in a lab?SilkETW(Ruben Boo

6、nen,2019)LDAPMon(Johnny Johnson,2023)How to get LDAP logs in production?Defender for Endpoint(EDR agent)Defender for Identity(sensor on DC)Back to the Logs?Client-side vs Server-side LDAP Logs Client-side logs WYSIWYG#YOLO Obfuscation ripewldap32.dll Server-side logs Significant normalization(but no