LDAPMonitor
LDAPmonitor is a tool that monitors any changes made to the target LDAP objects on LIVE
It’s very similar to PSPY in a way that it surveils changes on LIVE
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ LDAPmonitor -u florence.ramirez -p 'uxLmt*udNc6t3HrF' -d GHOST.HTB --dc-ip $IP
[+]======================================================
[+] LDAP live monitor v1.3 @podalirius_
[+]======================================================
[>] Trying to connect to 10.10.11.24 ...
[>] Listening for LDAP changes ...Executing LDAPMonitor with the TGT of the florence.ramirez user
It would appear that there might be a script running with the credential of the florence.ramirez user