Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Task 4.1: Security principal reconnaissance (LDAP)

In this detection, Defender for Identity looks for LDAP security principal reconnaissance, which is commonly used as the first phase of a Kerberoasting attack. Kerberoasting attacks are used to get a target list of Security Principal Names (SPNs), which attackers then attempt to get Ticket Granting Server (TGS) tickets for.

Tools used in this test: https://github.com/ANSSI-FR/ORADAD/releases.

  1. Switch to the WIN5 RDP session, logged in as MSMDI\JeffL.

  2. In a Command window, run the following command:

     c:\Tools\ORADAD\ORADAD.exe
    

For more information, review Security principal reconnaissance (LDAP) (external ID 2038).