Invoke-Maldaptive: LDAP Obfuscation, Deobfuscation & Detection
MaLDAPtive
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation, and detection.
Its foundation is a 100% custom-built C# LDAP parser that handles tokenization and syntax tree parsing along with numerous custom properties that enable accurate and efficient obfuscation, deobfuscation, and detection of LDAP SearchFilters. The rest of the project is a PowerShell wrapper designed for maximum flexibility, randomization, and pipeline capabilities for seamlessly connecting all desired functions in a single command.
Release Details
As defenders, from the very beginning of this research we wanted to release the information and framework in a responsible manner and decided on a two-stage release. This decision was nobody’s but our own and we made this two-stage approach crystal clear in our CFP submissions.
Therefore, in the initial release of this research we are publishing all code EXCEPT the obfuscation module. After at least 4 months we will then release the obfuscation module along with a Part II of this research (exact date TBD based on pending CFP submission).
Our intention is to give defenders a multi-month head start on setting up required LDAP SearchRequest telemetry and implementing the full detection ruleset that we published with this research.
| Module Name | Release Date |
|---|---|
| LDAP Parser | 2024-08-07 |
| Deobfuscation Module | 2024-08-07 |
| Detection Module | 2024-08-07 |
| Detection Ruleset | 2024-08-07 |
| Telemetry Module | 2024-08-07 |
| Obfuscation Corpus | 2024-08-07 |
| Obfuscation Module | Intentionally delayed release |
