Use a log search query to identify any LDAP communications

Microsoft is planning to enable LDAP channel binding and LDAP signing requirements (LDAPS) by default through a patch on Active Directory servers in the second half of 2020.

The security of Active Directory domain controllers can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.

After installing the patch, it will no longer be possible to communicate with the Active Directory via Simple Bind Port TCP 389 to prevent passwords from being transmitted in clear text. Communication will then only take place encrypted via PortTCP 636 SSL.

You can use log search to check for any LDAP activity on your network by using this query. This is useful if you want to find out what is using LDAP on your network prior to deploying the latest Microsoft patches. Use the Network Flow log set as a data source.

where(ldap) groupby(destination_address) calculate(count)

One thing to note is that the communication will usually not pass through a firewall in most cases so the firewall logs will not be a good source for this. You will need to deploy an Insight Network Sensor and have the ENTA option enabled to use this query.