* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* Introducing Malicious LDA...

# Introducing Malicious LDAP Query Protection for Cortex ITDR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-malicious-ldap-query-protection-for-cortex-itdr%2F)  
[](https://twitter.com/share?text=Introducing+Malicious+LDAP+Query+Protection+for+Cortex+ITDR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-malicious-ldap-query-protection-for-cortex-itdr%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-malicious-ldap-query-protection-for-cortex-itdr%2F&title=Introducing+Malicious+LDAP+Query+Protection+for+Cortex+ITDR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/introducing-malicious-ldap-query-protection-for-cortex-itdr/&ts=markdown)  
\[\](mailto:?subject=Introducing Malicious LDAP Query Protection for Cortex ITDR)  
Link copied  
By [Yitzy Tannenbaum](https://www.paloaltonetworks.com/blog/author/yitzy-tannenbaum/?ts=markdown "Posts by Yitzy Tannenbaum") and [Aviel Tzarfaty](https://www.paloaltonetworks.com/blog/author/aviel-tzarfaty/?ts=markdown "Posts by Aviel Tzarfaty")  
Dec 02, 2025  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Cortex ITDR](https://www.paloaltonetworks.com/blog/tag/cortex-itdr/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Identity Threat Detection and Response](https://www.paloaltonetworks.com/blog/tag/identity-threat-detection-and-response/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)

Identity is the new perimeter. In almost every modern breach, the attacker's primary goal is to compromise credentials and move laterally across the network. To do this, they start at the same place: The Active Directory (AD).

We are excited to announce a powerful new capability available now for Cortex ITDR (Identity Threat Detection and Response): [**Malicious LDAP Query Protection**](https://www.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/).

This module delivers ITDR directly via the Cortex XDR agent. This enhances Domain Controller (DC) security by shifting from log analysis to real-time, autonomous prevention.

## **The Problem: The "Phone Book" is Open to Everyone**

Think of your Active Directory as the organization's "phone book." It contains every user, every permission, and every address. By design, it is built to answer questions, receiving millions of legitimate queries every hour from users logging in, sending emails, or accessing resources.

This availability makes the DC the "brain" of the company. Since every user inherently has access to the Active Directory, once an attacker compromises a single user account, they effectively gain access to query the organization's entire neural center.

Before launching a full-scale attack, threat actors enter a[reconnaissance phase.](https://attack.mitre.org/tactics/TA0043/) They query this "phone book" to identify privileged users, groups, and potential attack paths. Because the DC is designed to answer these questions, attackers can often map out your entire network, finding the "keys to the kingdom", without tripping standard alarms.

**The specific challenge is scale.** As discussed in recent[Unit 42 research](https://unit42.paloaltonetworks.com/lightweight-directory-access-protocol-based-attacks/), a single DC serving 100,000 users processes millions of queries per hour. Sifting through this volume to find a single malicious reconnaissance attempt is like finding a needle in a haystack of needles.

## **The Solution: From Manual Detection to Autonomous Prevention**

While previous approaches relied on manual hunting or post-event log analysis, our Research team has taken those methodologies and automated them into an **autonomous defense layer**.

Our researchers didn't just write rules; they actively simulated attacks against test environments using popular tools to model the exact behavioral patterns of adversaries. This allows the Cortex XDR agent on the DC to analyze traffic directly at the source.

**How It Works: Context is King**

To accurately distinguish between a legitimate query and an attacker's reconnaissance, the module analyzes the **context** of the traffic in real-time.

A single query might look innocent on its own. However, the module connects the dots, analyzing the single query in relation to the **last 100 queries from the same address**, to reveal malicious intent.

We analyze several key behavioral dimensions:

* **Source of Query:** Is this query coming from a trusted admin workstation or an anomalous endpoint?
* **Number of Queries (Volume):** We monitor for massive spikes in read operations. A legitimate user might look up one or two contacts; a tool like BloodHound will query thousands of objects in seconds.
* **Contextual Patterns:** We evaluate the "who" and "why." If a user account suddenly deviates from their standard behavior, performing lookups that don't match their role, the system flags it.
* **Query Attributes:** We identify specific search filters (like searching for adminCount=1 or unconstrained delegation) that are rarely used in business logic but are highly valuable to attackers.

![Figure 1. Malicious LDAP query detected by Cortex](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/12/word-image-349448-1.png)
Figure 1. Malicious LDAP query detected by Cortex

**Blocking the Tools of the Trade**

This module can now identify and **block** the unique signatures of specific tools, providing alerts that say not just "Suspicious Activity," but specifically "Attack detected via BloodHound."

XDR blocks pieces of malicious functionality of variants of these tools:

* **BloodHound / SharpHound:** Used to visualize attack paths.
* **AdFind:** Linked to APT groups like **Stately Taurus**.
* **ADRecon:** Used by **BlackCat (ALPHV)** affiliates.
* **Certify:** Used to exploit Active Directory Certificate Services (AD CS).

## **The Benefits:**

Implementing this protection provides a "double profit" for security teams:

1. **Real-Time Prevention (The Shield):** It stops the attack at the reconnaissance phase. By blocking the query, you effectively blind the attacker, forcing them to work without a map.
2. **Enriched Analytics (The Intelligence):** Every blocked query feeds back into the Cortex ITDR analytics engine. This enriches the broader security dataset, allowing the system to generate specific "Issues" in the console. This informs SOC analysts precisely which tool was used and who was targeted, converting raw data into actionable intelligence.

## **Summary**

Protecting the DC is non-negotiable. With Malicious LDAP Query Protection, [Cortex ITDR](https://www.paloaltonetworks.com/resources/techbriefs/identity-threat-detection-and-response-module) ensures that your AD infrastructure remains a secure resource for your employees, not an open map for your adversaries.

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Prioritizing Impact: A Practical Framework for XDR Success](https://www2.paloaltonetworks.com/blog/security-operations/prioritizing-impact-a-practical-framework-for-xdr-success/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Think You Have Visibility? Think Again.](https://www2.paloaltonetworks.com/blog/security-operations/think-you-have-visibility-think-again/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Boosting Identity Security with Cortex XDR/XSIAM Honey Users](https://www2.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### The Adventures of Malicious OneNote Attachments in Cortex XDR Land](https://www2.paloaltonetworks.com/blog/security-operations/the-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex XDR Global Analytics Protects Against Supply Chain Attacks](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-xdr-global-analytics-protects-against-supply-chain-attacks/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://www2.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language