LDAP Nightmare POC Detection
Query
// LDAPNightmare POC Detection
// https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/
// SafeBreach Labs Researchers developed a zero-click PoC exploit that crashes unpatched Windows Servers using the Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability.
DnsEvents
| where TimeGenerated > ago(1h)
| where Name has "_ldap._tcp.dc._msdcs." or Name has "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs."
| extend LDAPQueryHost = iff((Name has "_ldap._tcp.dc._msdcs."),
tostring(split(Name, "_ldap._tcp.dc._msdcs.", 1)),
tostring(split(Name, "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.", 1)))
| where isnotempty(LDAPQueryHost)
| where not (LDAPQueryHost has ".local" or LDAPQueryHost has "workgroup" or LDAPQueryHost has "-DC")
| where QueryType == "33"
| where ResultCode == 0
// MITRE ATT&CKExplanation
This KQL query is designed to detect potential exploitation attempts of a vulnerability known as LDAPNightmare (CVE-2024-49113) on Windows Servers. Here's a simplified breakdown of what the query does:
-
Data Source: It analyzes DNS events (
DnsEvents) to identify suspicious LDAP queries. -
Time Frame: The query focuses on events generated in the last hour (
TimeGenerated > ago(1h)). -
LDAP Query Identification: It looks for DNS queries that include specific LDAP service records, which are typically used to locate domain controllers:
_ldap._tcp.dc._msdcs._ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.
-
Extracting Host Information: It extracts the host part of the LDAP query (
LDAPQueryHost) by splitting the query name string based on the identified LDAP service records. -
Filtering Hosts: It filters out any hosts that are likely non-threatening or irrelevant by excluding those that:
- Contain ".local"
- Contain "workgroup"
- Contain "-DC"
-
Query Type and Result Code: It further narrows down the results to DNS queries of type "33" (SRV records) with a successful result code (
ResultCode == 0).
Overall, this query aims to identify potentially malicious LDAP queries that could indicate an attempt to exploit the LDAPNightmare vulnerability, while filtering out benign or irrelevant queries.
Details

Steven Lim
Released: January 3, 2025
Tables
Keywords
Operators