KQL Search

Query Details

HomeAI ToolsDevice Query

LDAP Nightmare POC Detection

Query

// LDAPNightmare POC Detection

// https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/

// SafeBreach Labs Researchers developed a zero-click PoC exploit that crashes unpatched Windows Servers using the Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability.

DnsEvents
| where TimeGenerated > ago(1h)
| where Name has "_ldap._tcp.dc._msdcs." or Name has "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs."
| extend LDAPQueryHost = iff((Name has "_ldap._tcp.dc._msdcs."),
tostring(split(Name, "_ldap._tcp.dc._msdcs.", 1)),
tostring(split(Name, "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.", 1)))
| where isnotempty(LDAPQueryHost)
| where not (LDAPQueryHost has ".local" or LDAPQueryHost has "workgroup" or LDAPQueryHost has "-DC")
| where QueryType == "33"
| where ResultCode == 0


// MITRE ATT&CK

Explanation

This KQL query is designed to detect potential exploitation attempts of a vulnerability known as LDAPNightmare (CVE-2024-49113) on Windows Servers. Here's a simplified breakdown of what the query does:

  1. Data Source: It analyzes DNS events (DnsEvents) to identify suspicious LDAP queries.

  2. Time Frame: The query focuses on events generated in the last hour (TimeGenerated > ago(1h)).

  3. LDAP Query Identification: It looks for DNS queries that include specific LDAP service records, which are typically used to locate domain controllers:

    • _ldap._tcp.dc._msdcs.
    • _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.

  4. Extracting Host Information: It extracts the host part of the LDAP query (LDAPQueryHost) by splitting the query name string based on the identified LDAP service records.

  5. Filtering Hosts: It filters out any hosts that are likely non-threatening or irrelevant by excluding those that:

    • Contain ".local"
    • Contain "workgroup"
    • Contain "-DC"

  6. Query Type and Result Code: It further narrows down the results to DNS queries of type "33" (SRV records) with a successful result code (ResultCode == 0).

Overall, this query aims to identify potentially malicious LDAP queries that could indicate an attempt to exploit the LDAPNightmare vulnerability, while filtering out benign or irrelevant queries.

Details

Steven Lim profile picture

Steven Lim

Released: January 3, 2025

Tables

DnsEvents

Keywords

DnsEvents

Operators

DnsEvents|where>ago()orhasextendiff()tostring()split()isnotempty()not==

Actions