There needs to be an ability to monitoring when LDAP calls are being made to or on a DC in an AD Domain. The ability to see when and what types of calls are being made can help in the identification of an intrusion. Currently there are methods that can be enabled to generate events logs for LDAP, but these methods can cause potential issues with performance. In order for this to be effective, this needs to be developed in such a way to not cause potential performance issues. There is evidently a way to create a Data Collector Set that collects information on LDAP calls from the following:
- Active directory Domain services: Core
- Active Directory: Kerberos KDC
- NTLM Security Protocol
If these could be accessed via the agent without logging being enabled, policies could be created to collect data specific to the policy.
This may not be the only way to collect information about LDAP calls, so all potential methods should be explored for the most efficient.