Fedezze fel a legfrissebb kiberbiztonsági híreket

Blog / LegolAD: A Stealthier Approach to Active Directory Enumeration for Red Teams
LegolAD: A Stealthier Approach to Active Directory Enumeration for Red Teams
Bence Szabo
2025. március 27.
active directoryadldap

The tool is available in this GitHub repository:

https://github.com/NaunetEU/LegolAD

Stealth

I consider alternative tools like PowerView to be stealthy in terms of event generation. However, when I created this tool, I had very little knowledge of blue team tools. I wanted to minimize unusual LDAP network traffic while still retrieving as much data as possible about the objects.

Features

Features not found in ldapsearch:

Jitters

Using the arguments --min-time-to-sleep and --max-time-to-sleep, you can set the jitter limits in seconds. Both default to 0, so remember to set them.

Page size and Burst

With the --page-size argument, you can set the page size, which defaults to 10. This ensures that no huge LDAP queries are requested.

You can request multiple requests between jitters using the --burst attribute. You can retrieve 20 items with a single LDAP request between jitters or request 10 items with two LDAP requests. This feature was added because we suspected that normal LDAP communication might occur multiple times in quick succession.

Breaks

The --breaks or -br attribute can be used multiple times and accepts two parameters:

  • The start of the break
  • The end of the break

Breaks must be set in military time. For example:

-br 12:00 12:30 -br 13:10 13:20

The configuration above creates a ‘lunch break’ and an additional short break. During these periods, no scanning will occur, simulating human employee behavior.

Fedezze fel a legfrissebb kiberbiztonsági híreket

Maradjon egy lépéssel a kiberveszélyek előtt a Naunet szakértői blogbejegyzéseivel! Ismerje meg a legújabb védelmi trendeket, technikákat és technológiákat, hogy növelhesse vállalkozása biztonságát. Csatlakozzon közösségünkhöz, és fejlődjön minden bejegyzéssel!