OpenCTI または OpenAEV プラットフォームを 30 日間お試しいただけます。 無料トライアル
XTM Hub by Filigranサインイン

LDAP Security Validation

Endpoint Security Validation
Detection Rule Validation

概要

Detection if LDAPS & Channel Binding are set or not

Description: This scenario performs a security validation of LDAP over SSL/TLS (LDAPS) configuration and LDAP Channel Binding support across directory services (such as Microsoft Active Directory). Both LDAPS and Channel Binding are critical controls that protect LDAP communications against man-in-the-middle (MITM) attacks and credential relaying by ensuring that LDAP traffic is encrypted and properly bound to the underlying TLS session. LDAP by default operates over port 389 without encryption, making credentials and directory queries susceptible to interception or tampering. LDAPS (port 636) secures these communications using SSL/TLS. However, even with LDAPS enabled, Channel Binding Tokens (CBTs) are essential to prevent attackers from relaying NTLM or Kerberos authentication in certain configurations. This scenario connects to LDAP endpoints and checks:

  1. Whether LDAPS is supported and correctly configured.
  2. If LDAP Channel Binding is enforced, optional, or disabled.
  3. Whether the server responds to improperly bound authentication requests, indicating a potential vulnerability to relay attacks. The scenario helps organizations identify gaps in their directory service configuration that could be exploited by adversaries during internal lateral movement or credential attacks (e.g., NTLM relay).

Objective:

  • Determine if LDAP services enforce SSL/TLS encryption (LDAPS).
  • Check if Channel Binding Tokens (CBT) are enabled and enforced.
  • Provide actionable visibility into the LDAP authentication security posture.

Use Case:

  • Hardening Active Directory environments.
  • Internal infrastructure assessments.
  • Purple team exercises simulating relay-attack reconnaissance.
  • Compliance verification with Microsoft LDAP hardening guidelines (2020 and beyond).

Tactics & Techniques:

  • Tactic: Credential Access / Discovery (MITRE ATT&CK: TA0006 / TA0007)
  • Technique: LDAP(S) Enumeration and Channel Binding Verification
  • Related Technique: NTLM Relay (T1557.001) – if CBT is not enforced

Impact:

The scenario does not perform authentication or any intrusive action. It passively verifies LDAPS support and Channel Binding enforcement by analyzing server responses to controlled connection attempts. However, these checks may appear in network logs as LDAP negotiation traffic or test connections over ports 636 (LDAPS) and 389 (LDAP).

Detection Tips:

Security teams can monitor for:

  • LDAP(S) connection attempts without authentication or with test payloads.
  • Event IDs related to failed LDAP bindings (e.g., Event ID 2889 on Domain Controllers).
  • Network flows showing unencrypted LDAP sessions over port 389.
  • SIEM rules and IDS signatures can be created to alert on unencrypted LDAP traffic or CBT misconfigurations.

Recommended Mitigations:

  • Enforce LDAPS for all directory access. Disable plain LDAP where possible.
  • Enable LDAP Channel Binding via Group Policy or registry settings.
  • Ensure that clients and applications support CBT to prevent compatibility issues.
  • Regularly audit LDAP services using tools like Ldp.exe, PowerShell, or LDAP scanners.
  • Monitor for NTLM relay or downgrade attack patterns using endpoint protection and network security tools.

References:

  • Microsoft Security Advisory: LDAP Channel Binding and LDAP Signing Requirements
  • NIST SP 800-153: Guidelines for TLS Implementations
  • MITRE ATT&CK Techniques: T1557.001

基本情報

Filigran
Sébastien Miguel
2026年7月01日
1.17.0
100+
30+

    当社は、XTM Hubの機能を動作させ、その利用状況を把握し、ユーザー体験を向上させるためにクッキーを使用しています。必須のクッキーは常に有効になっています。また、ユーザーの同意を得た上で、機能、パフォーマンス、分析、およびマーケティングを目的としたオプションのクッキーも使用しています。 すべてのクッキーを受け入れる、すべてを拒否する、または許可するオプションのクッキーを選択することができます。「クッキー設定」から、いつでも設定を変更できます。詳細については、当社のクッキーポリシーをご覧ください。