frack113
35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: Suspicious LDAP Domain Access
|
|
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
|
|
status: experimental
|
|
description: Detect suspicious LDAP request from non-Windows application
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
|
|
author: frack113
|
|
date: 2022/08/20
|
|
modified: 2022/09/21
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1482
|
|
logsource:
|
|
product: windows
|
|
category: dns_query
|
|
detection:
|
|
dns_request:
|
|
QueryName|startswith: '_ldap.'
|
|
filter_windows:
|
|
Image|startswith: 'C:\Windows\'
|
|
filter_defender:
|
|
Image|startswith:
|
|
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
|
|
- 'C:\Program Files\Windows Defender\MsMpEng.exe'
|
|
- 'C:\Program Files (x86)\Windows Defender\MsMpEng.exe'
|
|
Image|endswith: '\MsMpEng.exe'
|
|
filter_unknown:
|
|
Image: '<unknown process>'
|
|
filter_azure:
|
|
Image|startswith: 'C:\WindowsAzure\GuestAgent'
|
|
condition: dns_request and not 1 of filter_*
|
|
falsepositives:
|
|
- Programs that also lookup the observed domain
|
|
level: medium
|