> For the complete documentation index, see [llms.txt](https://docs.fusion.vectra.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_internal.md). # ldap\_scanning\_internal **Explanation** This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network. **What to Look For** When examining the results of the ldap\_scanning\_internal event, it is important to look for any activity that is indicative of LDAP scanning. LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services, such as Active Directory. LDAP scanning involves searching for and querying specific LDAP attributes and can be used to gather information about users and system configurations. If LDAP scanning activity is detected, it may be the result of an attacker attempting to gather information for a future attack or to exploit vulnerabilities in the LDAP system. Customers should ensure that authorized LDAP scanners, such as network monitors, are added to the "Discard" function in this NDM to avoid triggering false positives. It's important to remediate any unauthorized LDAP scanning activity as it could be an indication of a potential attack or data breach. **Related MITRE ATT\&CK Categories** [Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/ldap_scanning_internal.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.