SigmaHQ/rules/windows/builtin/win_susp_ldap_dataexchange.yml

title: Suspicious LDAP-Attributes Used
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
status: experimental
date: 2019/03/24
modified: 2020/08/23
author: xknow @xknow_infosec
references:
    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
    - https://github.com/fox-it/LDAPFragger
tags:
    - attack.t1071          # an old one
    - attack.t1001.003
    - attack.command_and_control
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5136
        AttributeValue: '*'
        AttributeLDAPDisplayName:
            - 'primaryInternationalISDNNumber'
            - 'otherFacsimileTelephoneNumber'
            - 'primaryTelexNumber'
    condition: selection
falsepositives:
    - Companies, who may use these default LDAP-Attributes for personal information
level: high
Title capalized 2020-03-26 16:03:33 +00:00			`title: Suspicious LDAP-Attributes Used`
add LDAPFragger detections 2020-03-26 14:13:36 +00:00			`id: d00a9a72-2c09-4459-ad03-5e0a23351e36`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.`
add LDAPFragger detections 2020-03-26 14:13:36 +00:00			`status: experimental`
			`date: 2019/03/24`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`modified: 2020/08/23`
add LDAPFragger detections 2020-03-26 14:13:36 +00:00			`author: xknow @xknow_infosec`
			`references:`
			`- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961`
			`- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/`
			`- https://github.com/fox-it/LDAPFragger`
			`tags:`
att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-24 23:09:17 +00:00			`- attack.t1071 # an old one`
			`- attack.t1001.003`
			`- attack.command_and_control`
add LDAPFragger detections 2020-03-26 14:13:36 +00:00			`logsource:`
			`product: windows`
			`service: security`
			`detection:`
			`selection:`
			`EventID: 5136`
			`AttributeValue: '*'`
			`AttributeLDAPDisplayName:`
			`- 'primaryInternationalISDNNumber'`
			`- 'otherFacsimileTelephoneNumber'`
			`- 'primaryTelexNumber'`
			`condition: selection`
			`falsepositives:`
			`- Companies, who may use these default LDAP-Attributes for personal information`
Fixed title length 2020-03-26 15:56:06 +00:00			`level: high`