Query Details
CVE 2024 49113 LDAP Nightmare
Query
# LDAPNightmare Exploitation Attempt
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1210 | Exploitation of Remote Services | https://attack.mitre.org/techniques/T1210/ |
#### Description
The query below detects the inital connection made to try and run the LDAPNightmare exploit. The intial connection connects to the victim server, which sends a DNS SRV query. If the query below triggers it does not necessarily mean that the exploit worked, if the system is patched or the RPC access is denied the exploit cannot be executed but the query will return results. By this you can also hunt for attempts, if the victim is still vulnerable for the vulnerability it is likely exploited.
The *ExcludedSources* list can be used to filter known false/benign positives, depending on your confirguration it can be that a part of this behaviour is also executed by benign processes. Filter common used RemoteIPs to exclude them from the results.
Other tools that leverage *DsrGetDcNameEx2* may also be included in the results.
#### Risk
LDAPNightmare exploit executed.
#### References
- https://github.com/SafeBreach-Labs/CVE-2024-49113
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/
## Defender XDR
```KQL
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine
```
## Sentinel
```KQL
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP
| project-reorder TimeGenerated, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine
```
Explanation
This query is designed to detect attempts to exploit a vulnerability known as LDAPNightmare. Here's a simple breakdown of what the query does:
-
Purpose: The query aims to identify initial connection attempts that might indicate someone is trying to exploit the LDAPNightmare vulnerability on a server.
-
How it Works:
- It looks for network events where an inbound connection is accepted.
- It filters out connections from known safe sources (specified in the
ExcludedSourceslist). - It specifically checks for connections where the process involved is
lsass.exe, which is a legitimate Windows process but could be exploited in this context. - It focuses on connections to a specific port (49664), which is relevant to this exploit attempt.
-
Output:
- The query renames and organizes the output to show key details such as the attacker's IP address, the victim's IP address, the port used, and the command line of the initiating process.
- It helps identify potential exploitation attempts, even if the exploit was not successful (e.g., if the system is patched).
-
Usage:
- Security teams can use this query to monitor and investigate suspicious activity related to LDAPNightmare.
- It can help in identifying both successful and unsuccessful exploitation attempts, allowing for proactive defense measures.
-
Customization:
- Users can modify the
ExcludedSourceslist to exclude known benign IP addresses from the results, reducing false positives.
- Users can modify the
Overall, this query is a tool for cybersecurity professionals to detect and analyze potential LDAPNightmare exploit attempts in their network environment.
Details
Bert-Jan Pals
Released: January 6, 2025
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents
Operators
letpack_arraywherenotinproject-renameproject-reorder