Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
31 lines
1.7 KiB
YAML
31 lines
1.7 KiB
YAML
title: Suspicious LDAP-Attributes Used
|
|
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
|
|
status: test
|
|
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
|
|
references:
|
|
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
|
|
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
|
|
- https://github.com/fox-it/LDAPFragger
|
|
author: xknow @xknow_infosec
|
|
date: 2019-03-24
|
|
modified: 2022-10-05
|
|
tags:
|
|
- attack.t1001.003
|
|
- attack.command-and-control
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
|
|
detection:
|
|
selection:
|
|
EventID: 5136
|
|
AttributeValue|contains: '*'
|
|
AttributeLDAPDisplayName:
|
|
- 'primaryInternationalISDNNumber'
|
|
- 'otherFacsimileTelephoneNumber'
|
|
- 'primaryTelexNumber'
|
|
condition: selection
|
|
falsepositives:
|
|
- Companies, who may use these default LDAP-Attributes for personal information
|
|
level: high
|