| Technique ID | Title | Link |
|---|---|---|
| T1210 | Exploitation of Remote Services | https://attack.mitre.org/techniques/T1210/ |
The query below detects the inital connection made to try and run the LDAPNightmare exploit. The intial connection connects to the victim server, which sends a DNS SRV query. If the query below triggers it does not necessarily mean that the exploit worked, if the system is patched or the RPC access is denied the exploit cannot be executed but the query will return results. By this you can also hunt for attempts, if the victim is still vulnerable for the vulnerability it is likely exploited.
The ExcludedSources list can be used to filter known false/benign positives, depending on your confirguration it can be that a part of this behaviour is also executed by benign processes. Filter common used RemoteIPs to exclude them from the results. Other tools that leverage DsrGetDcNameEx2 may also be included in the results.
LDAPNightmare exploit executed.
- https://github.com/SafeBreach-Labs/CVE-2024-49113
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLinelet ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP
| project-reorder TimeGenerated, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine