Cyber security

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection.

Its foundation is a 100% custom-built C# LDAP parser that handles tokenization and syntax tree parsing along with numerous custom properties that enable accurate and efficient obfuscation, deobfuscation and detection of LDAP SearchFilters.

The rest of the project is a PowerShell wrapper designed for maximum flexibility, randomization and pipeline capabilities for seamlessly connecting all desired functions in a single command.

Release Details

As defenders, from the very beginning of this research we wanted to release the information and framework in a responsible manner and decided on a two-stage release.

This decision was nobody’s but our own and we made this two-stage approach crystal clear in our CFP submissions.

Therefore, in the initial release of this research we are publishing all code EXCEPT the obfuscation module.

After at least 4 months we will then release the obfuscation module along with a Part II of this research (exact date TBD based on pending CFP submission).

Our intention is to give defenders a multi-month head start on setting up required LDAP SearchRequest telemetry and implementing the full detection ruleset that we published with this research.

Module NameRelease Date
LDAP Parser2024-08-07
Deobfuscation Module2024-08-07
Detection Module2024-08-07
Detection Ruleset2024-08-07
Telemetry Module2024-08-07
Obfuscation Corpus2024-08-07
Obfuscation ModuleIntentionally delayed release

Installation

Import-Module ./Maldaptive.psd1

Required Packages

PowerShell 7.1
.NET 6.0 (LTS)

Usage

Interactive mode is a colorful, menu-driven experience found in the Invoke-Maldaptive function (which also supports non-interactive capabilities via its own built-in CLI).

It is designed to promote exploration of all available functions with colored highlighting applied to amplify the important details returned from each function.

There is also some special animated ASCII art in this function, so we recommend giving it a whirl first.

Menu exploration supports full regex and basic wildcards, with special automated menu traversal options defined by **, *** and **** commands. You can always type HELP or TUTORIAL for more guidance.

At any point the full details of each layer of obfuscation or deobfuscation can be viewed, copied or fully exported out of the interactive menu.

MaLDAPtive also has full CLI support displayed in the same menu, so interactive mode can be used to “create obfuscation recipes” that can easily be exported into simple 1-liner commands.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

42 minutes ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

21 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

23 hours ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago