当前位置:首页 > 报告详情

MaLDAPtive:深入剖析 LDAP 混淆、反混淆和检测.pdf

上传人: 竿*** 编号:981579 2025-11-29 167页 31.93MB

1、Diving Deep into LDAP(|(Obfuscation,Deobfuscation&=De*te)(!c=tion)USA 2024Sabajete Elezaj(Sabi)&Daniel Bohannon(DBO)DANIEL BOHANNONPRINCIPAL THREAT RESEARCHERdanielhbohannondanielhbohannondanielbohannon/Invoke-Obfuscation/Invoke-CradleCrafter/Invoke-DOSfuscation/Revoke-ObfuscationUSA(5 yrs)(2 yrs)(2

2、 yrs)“DBO”akaPermiso-io-tools/CloudConsoleCartographerSABAJETE ELEZAJSENIOR CYBER SECURITY ENGINEERsabi_elezisabajete-elezajAlbania“SABI”akaGovernment(1 yr)Consulting(3 yrs)Engineering(3 yrs)IntroductionLDAP OverviewPROBLEM:Obfuscating LDAPSOLUTION:Parse,Enrich,DetectMaLDAPtive Tool Demo+Release 199

3、8 OpenLDAP developed by OpenLDAP Project 2000 Microsoft released Active Directory(AD)Ensured compliance of AD with LDAP!Back to the 1980s X.500 directory services X.500 Directory Access Protocol(DAP)1993-1997“Lightweight”Directory Access Protocol(LDAP)v1-3 Used the simpler TCP/IP protocol stackHisto

4、ry 1998 OpenLDAP developed by OpenLDAP Project 2000 Microsoft released Active Directory(AD)Ensured compliance of AD with LDAP!Back to the 1980s X.500 directory services X.500 Directory Access Protocol(DAP)1993-1997“Lightweight”Directory Access Protocol(LDAP)v1-3 Used the simpler TCP/IP protocol stac

5、kHistoryFuturehttps:/ldap.or.kr/wp-content/uploads/2017/07/%EA%B7%B8%EB%A6%BC3.png Open-source tools for LDAP visibility(defensive&offensive usages)2015 PowerView(harmj0y)2016-Bloodhound(SpecterOps)2017 PingCastle(Vincent Le Toux)Back to theLogs?Future How to get LDAP logs in a lab?SilkETW(Ruben Boo

6、nen,2019)LDAPMon(Johnny Johnson,2023)How to get LDAP logs in production?Defender for Endpoint(EDR agent)Defender for Identity(sensor on DC)Back to the Logs?Client-side vs Server-side LDAP Logs Client-side logs WYSIWYG#YOLO Obfuscation ripewldap32.dll Server-side logs Significant normalization(but no

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
- **主题**:深入探讨LDAP(轻量级目录访问协议)的混淆、解析、丰富和检测。 - **历史**:LDAP起源于X.500目录服务,1998年由OpenLDAP项目开发,2000年微软发布Active Directory(AD)。 - **工具**:介绍了多种用于LDAP可见性的开源工具,如PowerView、Bloodhound、PingCastle。 - **日志**:讨论了客户端和服务器端LDAP日志的差异,以及如何获取生产环境中的LDAP日志。 - **MaLDAPtive工具**:介绍了一个新的开源框架,用于解析、丰富和检测混淆的LDAP搜索请求。 - **混淆方法**:详细分析了LDAP搜索请求中各种混淆方法,包括属性、比较运算符、布尔运算符和可扩展匹配过滤器。 - **解决方案**:MaLDAPtive工具通过自定义LDAP解析器和检测规则集,提高了对混淆LDAP搜索请求的可见性、检测和去混淆能力。
攻击者如何隐藏?" 解锁LDAP搜索请求!" 识别隐藏的威胁!"
客服
商务合作
小程序
服务号
折叠