CVE-2024-49113 Exploitation Attempt - LDAP Nightmare

Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".

Sigma rule (View on GitHub)

 1title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
 2id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
 3status: experimental
 4description: |
 5        Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
 6references:
 7    - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
 8    - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
 9author: Samuel Monsempes
10date: 2025-01-08
11tags:
12    - attack.impact
13    - attack.t1499
14    - cve.2024-49113
15    - detection.emerging-threats
16logsource:
17    product: windows
18    service: application
19    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
20detection:
21    selection:
22        Provider_Name: 'Application Error'
23        EventID: 1000
24        Data|contains|all:
25            - 'lsass.exe'
26            - 'WLDAP32.dll'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top