Log LDAP access of the Active directory

Question

I am looking for a method to log ldap access of a Active Directory domain controller. I want to be able to log the username and source IP address access to both 389, and 636(encrypted).

A simple packet capture would get me the source IP, but getting the username will not be possible over ldaps so I am hoping there is some built-in auditing/debug/logging feature in Windows that will give me this information.

Answer 1

The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:

• EventID: 4624
• SubjectUserSID: S-1-5-18

The details will be lurking in these XML elements:

• TargetUserName
• IPAddress

If you're viewing things in the decoded text-view, the key markers are:

• EventID: 4624
• Network Information -> Workstation Name = name of the LDAP Server

The details will be:

• Network Information -> Source Network Address
• New Logon -> Account Name

The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.

Phrasing the search to get these events will prove tricky.

Answer 2

Old question I know, but take a look at ADInsight: https://technet.microsoft.com/en-us/sysinternals/adinsight.aspx

Answer 3

10 years passed, but the question asked is still relevant :)

I have created "collecting NETSTAT" powershell script. It runs netstat in a loop while you press Ctrl+C or while number of iterations is reached (specified in parameters) and collects distinct data about "client IP"/"connection protocol". Upon completion it generates .txt and .csv files containing IPs of clients connected during run on each protocol. Unfortunately doesn't show usernames - only IPs.

Link to script: https://it4it.solutions/2021/08/19/collecting-netstat/

Answer 4

You need usernames.

From my experience parsing Windows security eventlog is very ignoble task. Even working with MS field engineers they sometimes don't know what some events mean.

You can play with filters parameters. Now it gathers 4624 and 4625 events + filter on sid length >10 symbols (to get rid of so called well-known SIDs ) and takes 100000 last records (if you need "unlimited" - change it to 10000000). I have tested it on Windows 2019 Server; Works well.

Here is the script:

[string]$pathToSaveFiles = $PSScriptRoot +"\"
$PSOobj4CSV = @()
$nrOfLogRecordsToProcess = 10000
$hostname = $env:computername
$CurrDateTimeStr=[DateTime]::Now.ToString("yyyyMMdd-HHmmss")
$pathToCSV = "$($pathToSaveFiles)$($CurrDateTimeStr)_$($hostname)_ldap_users_IPs.csv"
write-host "Fetching records..."
$eventList = Get-WinEvent -FilterHashtable @{logname=’security’; id=4624,4625}| Select-Object -First $nrOfLogRecordsToProcess
$i=1
$recordCount = $eventList.count
foreach($currEvent in $eventList){
if ($currEvent.Properties[4].Value.Value.Length  -gt 10) { #if sid more then 10 symbols
    $PSOline = [pscustomobject]@{
        'Time'    = $currEvent.TimeCreated.ToString()
        'AccountName'  = $currEvent.Properties[5].Value
        'IP' = $currEvent.Properties[18].Value
    }
    write-host "Record $i from $recordCount time: $($currEvent.TimeCreated.ToString()) AccountName: $($currEvent.Properties[5].Value) IP: $($currEvent.Properties[18].Value)"
    $PSOobj4CSV += $PSOline
  }
  $i++
}
$PSOobj4CSV|export-CSV  $pathToCSV -NoTypeInformation -append  -force
Write-host "Info written to $pathToCSV file"

Answer 5

For only port info,

netstat 1 -an | findstr ":389"

OR

netstat 1 -an | findstr ":636"

1 means [< Interval >]

Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.