What does this LDAP traffic signify? "<ROOT>" baseObject

Question

The requesting host is compromised, sending traffic to the DC (the former is running Sharphound to perform recon - though I don't know if that is a part of this). I am very new to LDAP and am clueless as to what this means. Is this malicious? The details are below, any help would be appreciated!

Answer 1

For regular LDAP over TCP, the "null DN" entry (indicated as <ROOT> by Wireshark) is often called the "rootDSE", and is used for protocol negotiation – it contains attributes indicating what LDAP protocol extensions are supported by the server. For example, whenever an LDAP client wants to use SASL authentication or StartTLS, it first makes a query for the rootDSE entry to make sure that's available:

$ ldapsearch -x -b "" -s base + \*
[...]
supportedControl: 1.3.6.1.1.13.1              # 'pre-read' control supported
supportedExtension: 1.3.6.1.4.1.1466.20037    # StartTLS supported
supportedExtension: 1.3.6.1.4.1.4203.1.11.1   # password change supported
supportedFeatures: 1.3.6.1.1.14               # 'Increment' operation supported
supportedSASLMechanisms: GSSAPI               # Kerberos authentication supported
[...]

(The rootDSE also has some AD-specific parameters, but that's not its main purpose.)

Seeing such requests over TCP is normal for any LDAP communications.

The CLDAP request over UDP is a slightly different thing – it's an Netlogon ping used by Windows AD clients to quickly check communications with a domain controller. It serves a similar purpose as the above rootDSE search, but deals with AD Netlogon parameters rather than LDAP parameters.

Seeing an occassional CLDAP ping from any AD member to your DCs is normal (as long as their payload makes sense, and as long as it's not a flood of requests).