A Microsoft infrastructure component that is just a database. It houses every computer, user, credential, group policy, service, application, and mapped detail of an organization's IT topology. By design, for easier IT operations management, any computer connected to the Directory can query for these resources, making it the primary database attackers use to get ALL the information they need.
is a service that Microsoft created to control the entire organization and make IT management easier. As a result, every computer connected to the Domain has read-only access to openly and naturally query Active Directory for other users, computers, applications, services, policies, credentials, permissions, and passwords.
The native query capabilities provide everything an attacker needs to move beyond the single compromised machine and into the network. Simple, undetectable queries from a normal user account to Active Directory tell the attacker about all the database servers, file servers, and high privileged accounts, providing a detailed map of the organization.
A procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses.
A method that attackers and IT administrators use to identify what computers are on a segment, it, too, is limited. Time consuming and ‘noisy’ to other monitoring/detection systems, this method only provides presence information. Other detail that helps the attacker know the vulnerabilities, apps, or credentials is not accessible.
Link-Local Multicast Name Resolution
A protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. It gives the attacker knowledge of the computer(s) it can access in the segment in which it resides.
The information that’s provided is limited. Just knowing the computers around them does not give attackers information about applications, services, users, and credentials. There is also no validation whether this computer is real or fake (honeypot).