Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

DNS Server Discovery Via LDAP Query

Detects DNS server discovery via LDAP query requests from uncommon applications

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sat Aug 20Updated Mon Sep 18a21bcd7e-38ec-49ad-b69a-9ea17e69509ewindows
Log Source
WindowsDNS Query
ProductWindows← raw: windows
CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic
Detection Logic7 selectors
detection:
    selection:
        QueryName|startswith: '_ldap.'
    filter_main_generic:
        Image|contains:
            - ':\Program Files\'
            - ':\Program Files (x86)\'
            - ':\Windows\'
    filter_main_defender:
        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith: '\MsMpEng.exe'
    filter_main_unknown:
        Image: '<unknown process>'
    filter_optional_azure:
        Image|startswith: 'C:\WindowsAzure\GuestAgent'
    filter_main_null:
        Image: null
    filter_optional_browsers:
        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\opera.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Likely

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
a21bcd7e-38ec-49ad-b69a-9ea17e69509e
Status
test
Level
low
Type
Detection
Created
Sat Aug 20
Modified
Mon Sep 18
Author
François Hubaut
Path
rules/windows/dns_query/dns_query_win_dns_server_discovery_via_ldap_query.yml
Raw Tags
attack.discoveryattack.t1482
View on GitHub