# ldap\_scanning\_inside\_to\_outside **Explanation** This NDM is designed to detect LDAP scanning that is exiting the customer's network. LDAP is an open protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. The NDM triggers on LDAP scanning that may be indicative of an infection and an attacker using a compromised machine on the customer network to pivot further outside of the network. **What to Look For** To analyze the results of this NDM event, customers should look for any outbound LDAP scanning traffic leaving their networks. LDAP scanning essentially involves seeking out LDAP services and then attempting to authenticate as a valid user. It can be used to gain access to sensitive information and credentials. Any endpoints exhibiting this behavior should be thoroughly investigated and their access credentials should be audited and changed as necessary. Additionally, customers should review their security policies and configurations to ensure LDAP-related services are not publicly accessible and that access is controlled based on the principle of least privilege. **Related MITRE ATT\&CK Categories** [Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046) [Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_inside_to_outside.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.