Task 4.1: Security principal reconnaissance (LDAP)

In this detection, Defender for Identity looks for LDAP security principal reconnaissance, which is commonly used as the first phase of a Kerberoasting attack. Kerberoasting attacks are used to get a target list of Security Principal Names (SPNs), which attackers then attempt to get Ticket Granting Server (TGS) tickets for.

Tools used in this test: https://github.com/ANSSI-FR/ORADAD/releases.

1. Switch to the WIN5 RDP session, logged in as MSMDI\JeffL.

2. In a Command window, run the following command:

    c:\Tools\ORADAD\ORADAD.exe
   

For more information, review Security principal reconnaissance (LDAP) (external ID 2038).