EXPLORE
Sign In
← Back to Explore
kqlHunting

LDAPNightmare Exploitation Attempt

The query below detects the inital connection made to try and run the LDAPNightmare exploit. The intial connection connects to the victim server, which sends a DNS SRV query. If the query below triggers it does not necessarily mean that the exploit worked, if the system is patched or the RPC access is denied the exploit cannot be executed but the query will return results. By this you can also hunt for attempts, if the victim is still vulnerable for the vulnerability it is likely exploited.

MITRE ATT&CK

T1210

Detection Query

let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP 
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine

Data Sources

DeviceNetworkEvents

Platforms

windowsazure-sentinelmicrosoft-defender

References

Tags

vulnerability-exploitation
Raw Content
# LDAPNightmare Exploitation Attempt

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1210 | Exploitation of Remote Services | https://attack.mitre.org/techniques/T1210/ |

#### Description
The query below detects the inital connection made to try and run the LDAPNightmare exploit. The intial connection connects to the victim server, which sends a DNS SRV query. If the query below triggers it does not necessarily mean that the exploit worked, if the system is patched or the RPC access is denied the exploit cannot be executed but the query will return results. By this you can also hunt for attempts, if the victim is still vulnerable for the vulnerability it is likely exploited.

The *ExcludedSources* list can be used to filter known false/benign positives, depending on your confirguration it can be that a part of this behaviour is also executed by benign processes. Filter common used RemoteIPs to exclude them from the results.
Other tools that leverage *DsrGetDcNameEx2* may also be included in the results.

#### Risk
LDAPNightmare exploit executed.

#### References
- https://github.com/SafeBreach-Labs/CVE-2024-49113
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/

## Defender XDR
```KQL
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP 
| project-reorder Timestamp, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine
```

## Sentinel
```KQL
let ExcludedSources = pack_array('10.10.10.10');
DeviceNetworkEvents
| where ActionType == "InboundConnectionAccepted"
| where not(RemoteIP in (ExcludedSources))
| where InitiatingProcessVersionInfoOriginalFileName == "lsass.exe"
| where LocalPort == 49664
| project-rename AttackerIP = RemoteIP, VictimIP = LocalIP 
| project-reorder TimeGenerated, DeviceName, VictimIP, AttackerIP, LocalPort, InitiatingProcessCommandLine
```