LDAPFragger: Command and Control over LDAP attributes

This blogpost documents LDAPFrag, an open-source method and tool that routes Cobalt Strike C2 traffic over Active Directory by abusing writable personal-information attributes as a covert data store. It covers attribute enumeration and selection, hashing to share attribute and domain-controller choices, fragmentation and CRC checks for reliable transfer, autodiscovery to bootstrap C2 parameters, and mitigation guidance to detect or limit such LDAP-based channels.