title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
status: test
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
references:
    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
    - https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec
date: 2019-03-24
modified: 2022-10-05
tags:
    - attack.t1001.003
    - attack.command-and-control
logsource:
    product: windows
    service: security
    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
    selection:
        EventID: 5136
        AttributeValue|contains: '*'
        AttributeLDAPDisplayName:
            - 'primaryInternationalISDNNumber'
            - 'otherFacsimileTelephoneNumber'
            - 'primaryTelexNumber'
    condition: selection
falsepositives:
    - Companies, who may use these default LDAP-Attributes for personal information
level: high

title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
status: test
description: |
    Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
    This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
references:
    - https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
    - https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
author: Elastic, @SBousseaden
date: 2022-04-27
modified: 2024-08-13
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.t1548
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 3
        AuthenticationPackageName: 'Kerberos'
        IpAddress: '127.0.0.1'
        TargetUserSid|startswith: 'S-1-5-21-'
        TargetUserSid|endswith: '-500'
    filter_main_ip_null:
        IpPort: '0'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Import LDAP Data Interchange Format File Via Ldifde.EXE
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
status: test
description: |
    Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
references:
    - https://twitter.com/0gtweet/status/1564968845726580736
    - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022-09-02
modified: 2023-03-14
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ldifde.exe'
        - OriginalFileName: 'ldifde.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-i'
            - '-f'
    condition: all of selection_*
falsepositives:
    - Since the content of the files are unknown, false positives are expected
level: medium

title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
    - https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
    - attack.discovery
    - attack.t1069.002
    - attack.t1087.002
    - attack.t1482
logsource:
    product: windows
    service: ldap
    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
    generic_search:
        EventID: 30
        SearchFilter|contains:
            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
            - '(sAMAccountType=805306369)'
            - '(sAMAccountType=805306368)'
            - '(sAMAccountType=536870913)'
            - '(sAMAccountType=536870912)'
            - '(sAMAccountType=268435457)'
            - '(sAMAccountType=268435456)'
            - '(objectCategory=groupPolicyContainer)'
            - '(objectCategory=organizationalUnit)'
            # - '(objectCategory=Computer)' Prone to false positives
            - '(objectCategory=nTDSDSA)'
            - '(objectCategory=server)'
            - '(objectCategory=domain)'
            - '(objectCategory=person)'
            - '(objectCategory=group)'
            - '(objectCategory=user)'
            - '(objectClass=trustedDomain)'
            - '(objectClass=computer)'
            - '(objectClass=server)'
            - '(objectClass=group)'
            - '(objectClass=user)'
            - '(primaryGroupID=521)'
            - '(primaryGroupID=516)'
            - '(primaryGroupID=515)'
            - '(primaryGroupID=512)'
            - 'Domain Admins'
            - 'objectGUID=\*'
            - '(schemaIDGUID=\*)'
            - 'admincount=1'
    distinguished_name_enumeration:
        EventID: 30
        SearchFilter: '(objectclass=\*)'
        DistinguishedName|contains:
            - 'CN=Domain Admins'
            - 'CN=Enterprise Admins'
            - 'CN=Group Policy Creator Owners'
    suspicious_flag:
        EventID: 30
        SearchFilter|contains:
            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
            - 'msDS-AllowedToDelegateTo'
            - 'msDS-GroupManagedServiceAccount'
            - '(accountExpires=9223372036854775807)'
            - '(accountExpires=0)'
            - '(adminCount=1)'
            - 'ms-MCS-AdmPwd'
    narrow_down_filter:
        EventID: 30
        SearchFilter|contains:
            - '(domainSid=*)'
            - '(objectSid=*)'
    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium

title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
    - attack.discovery
    - attack.t1482
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|startswith: '_ldap.'
    filter_main_generic:
        Image|contains:
            - ':\Program Files\'
            - ':\Program Files (x86)\'
            - ':\Windows\'
    filter_main_defender:
        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith: '\MsMpEng.exe'
    filter_main_unknown:
        Image: '<unknown process>'
    filter_optional_azure:
        Image|startswith: 'C:\WindowsAzure\GuestAgent'
    filter_main_null:
        Image: null
    filter_optional_browsers:
        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\opera.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Likely
# Note: Incrase the level once a baseline is established
level: low