Task 4.1: Security principal reconnaissance (LDAP)
In this detection, Defender for Identity looks for LDAP security principal reconnaissance, which is commonly used as the first phase of a Kerberoasting attack. Kerberoasting attacks are used to get a target list of Security Principal Names (SPNs), which attackers then attempt to get Ticket Granting Server (TGS) tickets for.
Tools used in this test: https://github.com/ANSSI-FR/ORADAD/releases.
-
Switch to the WIN5 RDP session, logged in as MSMDI\JeffL.
-
In a Command window, run the following command:
c:\Tools\ORADAD\ORADAD.exe
For more information, review Security principal reconnaissance (LDAP) (external ID 2038).