MaLDAPtive: Obfuscation and De-Obfuscation
Daniel Bohannon, Sabajete Elezaj
DEF CON 32 Main Stage · Day 1 · Main Stage
In the realm of cybersecurity, **Active Directory (AD)** remains a critical component of enterprise infrastructure, making **Lightweight Directory Access Protocol (LDAP)** a prime target for both offensive and defensive operations. The talk "MaLDAPtive: Obfuscation and De-Obfuscation" by Daniel Bohannon and Sabajete Elezaj at DEF CON 32 delves into a particularly challenging aspect of this landscape: the sophisticated use of LDAP query obfuscation by attackers and the subsequent difficulties in detecting and de-obfuscating such techniques. The speakers, drawing from extensive experience in threat research, incident response, and detection engineering, highlight a significant gap in current defensive capabilities, specifically the lack of robust, production-ready telemetry for LDAP search filters.
AI review
Bohannon and Elezaj deliver a much-needed deep dive into LDAP query obfuscation, a critical blind spot for defenders. Their research meticulously dissects how attackers hide in plain sight within Active Directory, highlighting the stark differences between client-side and server-side logging. The release of their 'Maladaptive' tool, with its focus on both obfuscation and crucial de-obfuscation, provides a tangible and immediate solution to a pervasive telemetry gap, making this a highly actionable and impactful technical contribution to modern defense strategies.