LDAPmonitor
LDAPmonitor is a tool that monitors any changes made to the target LDAP objects on LIVE
It’s very similar to PSPY in a way that it surveils changes on LIVE
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=tiffany.molina@dc.intelligence.htb.ccache python3 LDAPmonitor/python/pyLDAPmonitor.py -d INTELLIGENCE.HTB -u tiffany.molina --no-pass -k --dc-ip $IP
[+]======================================================
[+] LDAP live monitor v1.3 @podalirius_
[+]======================================================
[>] Trying to connect to DC ...
[debug] using kerberos cache: tiffany.molina@dc.intelligence.htb.ccache
[debug] Using TGT from cache
[>] Listening for LDAP changes ...Executing LDAPmonitor using the TGT of the tiffany.molina user
The ted.graves user appears to be actively logging on
Additionally, the AD object, DC=dc,DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb, is being changed periodically
A change made to the CN=DC,OU=Domain Controllers,DC=intelligence,DC=htb object