Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious LDAP-Attributes Used

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
xknowCreated Sun Mar 24Updated Wed Oct 05d00a9a72-2c09-4459-ad03-5e0a23351e36windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 5136
        AttributeValue|contains: '*'
        AttributeLDAPDisplayName:
            - 'primaryInternationalISDNNumber'
            - 'otherFacsimileTelephoneNumber'
            - 'primaryTelexNumber'
    condition: selection
False Positives

Companies, who may use these default LDAP-Attributes for personal information

References
1
Resolving title…
medium.com
2
Resolving title…
blog.fox-it.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
d00a9a72-2c09-4459-ad03-5e0a23351e36
Status
test
Level
high
Type
Detection
Created
Sun Mar 24
Modified
Wed Oct 05
Author
xknow
Path
rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml
Raw Tags
attack.t1001.003attack.command-and-control
View on GitHub