Query Details

LDAPNightmare Exploitation Attempt

CVE 2024 49113 LDAP Nightmare

Query

let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP 
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine

About this query

Explanation

This query is designed to detect attempts to exploit a vulnerability known as LDAPNightmare. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to identify initial connection attempts that might indicate someone is trying to exploit the LDAPNightmare vulnerability on a server.

  2. How it Works:

    • It looks for network events where an inbound connection is accepted.
    • It filters out connections from known safe sources (specified in the ExcludedSources list).
    • It specifically checks for connections where the process involved is lsass.exe, which is a legitimate Windows process but could be exploited in this context.
    • It focuses on connections to a specific port (49664), which is relevant to this exploit attempt.
  3. Output:

    • The query renames and organizes the output to show key details such as the attacker's IP address, the victim's IP address, the port used, and the command line of the initiating process.
    • It helps identify potential exploitation attempts, even if the exploit was not successful (e.g., if the system is patched).
  4. Usage:

    • Security teams can use this query to monitor and investigate suspicious activity related to LDAPNightmare.
    • It can help in identifying both successful and unsuccessful exploitation attempts, allowing for proactive defense measures.
  5. Customization:

    • Users can modify the ExcludedSources list to exclude known benign IP addresses from the results, reducing false positives.

Overall, this query is a tool for cybersecurity professionals to detect and analyze potential LDAPNightmare exploit attempts in their network environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: January 6, 2025

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEvents

Operators

letpack_arraywherenotinproject-renameproject-reorder

MITRE Techniques

Actions

GitHub