CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5da0f5e322de5996e616563f73d6da3be4e10bc3
hayabusa/rules/sigma/builtin/security/win_susp_ldap_dataexchange.yml
itiB 83d891b2fa Feature/rm submodule (#312) 
* rm: submodule

* Add: rules

* Fix: hayabusa-rules to c9c10a
2021-12-20 21:14:32 +09:00

37 lines
1.1 KiB
YAML
Raw Blame History

title: Suspicious LDAP-Attributes Used
ruletype: Sigma
author: xknow @xknow_infosec
date: 2019/03/24
description: Detects the usage of particular AttributeLDAPDisplayNames, which are
known for data exchange via LDAP by the tool LDAPFragger and are additionally not
commonly used in companies.
detection:
SELECTION_1:
EventID: 5136
SELECTION_2:
AttributeValue: '*'
SELECTION_3:
AttributeLDAPDisplayName:
- primaryInternationalISDNNumber
- otherFacsimileTelephoneNumber
- primaryTelexNumber
condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Companies, who may use these default LDAP-Attributes for personal information
id: d00a9a72-2c09-4459-ad03-5e0a23351e36
level: high
logsource:
product: windows
service: security
modified: 2021/11/27
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
status: test
tags:
- attack.t1071
- attack.t1001.003
- attack.command_and_control
Reference in New Issue View Git Blame Copy Permalink