LDAPNightmare Exploitation Attempt
CVE 2024 49113 LDAP Nightmare
Query
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLineAbout this query
Explanation
This query is designed to detect attempts to exploit a vulnerability known as LDAPNightmare. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify initial connection attempts that might indicate someone is trying to exploit the LDAPNightmare vulnerability on a server.
-
How it Works:
- It looks for network events where an inbound connection is accepted.
- It filters out connections from known safe sources (specified in the
ExcludedSourceslist). - It specifically checks for connections where the process involved is
lsass.exe, which is a legitimate Windows process but could be exploited in this context. - It focuses on connections to a specific port (49664), which is relevant to this exploit attempt.
-
Output:
- The query renames and organizes the output to show key details such as the attacker's IP address, the victim's IP address, the port used, and the command line of the initiating process.
- It helps identify potential exploitation attempts, even if the exploit was not successful (e.g., if the system is patched).
-
Usage:
- Security teams can use this query to monitor and investigate suspicious activity related to LDAPNightmare.
- It can help in identifying both successful and unsuccessful exploitation attempts, allowing for proactive defense measures.
-
Customization:
- Users can modify the
ExcludedSourceslist to exclude known benign IP addresses from the results, reducing false positives.
- Users can modify the
Overall, this query is a tool for cybersecurity professionals to detect and analyze potential LDAPNightmare exploit attempts in their network environment.
