π€ AI Summary
This study addresses the challenge of early detection of stealthy reconnaissance activities in Active Directory conducted via the LDAP protocol, which are often difficult to identify due to their benign appearance. To tackle this issue, the authors propose an automated, annotation-free detection approach that innovatively integrates weakly supervised learning with statistical hypothesis testing. The weakly supervised component trains a classifier to assess the maliciousness of LDAP queries, achieving a 65% true positive rate on a hold-out set while maintaining low false positives. Complementarily, statistical hypothesis testing correlates endpoint telemetry to extract high-confidence signatures of malicious queries, yielding a practical precision of 81.48%. This work represents the first effort to combine these techniques for LDAP-based reconnaissance detection, enabling scalable, automatic discovery and signature extraction of malicious behaviors.
π Abstract
Lightweight Directory Access Protocol (LDAP) is a protocol that allows users to query and modify Active Directory (AD) data. By default, all users have read access to all AD data through LDAP, making it a common initial tool for reconnaissance when a threat actor first compromises an identity. To capture threat actors early in the reconnaissance phase, we developed two machine learning frameworks to detect LDAP reconnaissance: an ML classifier to predict malicious LDAP queries and an ML-based data-mining method to extract malicious query signatures. By correlating LDAP queries with endpoint detections, the first framework uses weak supervision to label a massive dataset and classify LDAP queries as malicious or benign. For immediate deployment, a second technique was developed on top of this approach to employ a rigorous statistical hypothesis-testing framework for mining novel, malicious LDAP signatures. While this weakly supervised approach is limited compared with manual human labeling, it is more practical for this use case because it leverages large-scale automated corpus construction, reducing costs and time. Ultimately, both the LDAP classifier and the ML-based LDAP signature mining method achieved performance benchmarks, with the classifier achieving up to a 65\% True Positive Rate (TPR) on the holdout set while limiting false positives, and mined signatures demonstrating 81.48\% field precision with CrowdStrike's Managed Detection and Response team.