CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Sigma rule (View on GitHub)
1title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
2id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
3status: experimental
4description: |
5 Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
6references:
7 - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
8 - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
9author: Samuel Monsempes
10date: 2025-01-08
11tags:
12 - attack.impact
13 - attack.t1499
14 - cve.2024-49113
15 - detection.emerging-threats
16logsource:
17 product: windows
18 service: application
19 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
20detection:
21 selection:
22 Provider_Name: 'Application Error'
23 EventID: 1000
24 Data|contains|all:
25 - 'lsass.exe'
26 - 'WLDAP32.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- BlueSky Ransomware Artefacts
- LockerGoga Ransomware Activity
- Potential BlackByte Ransomware Activity
- Potential Conti Ransomware Activity
- Potential Dtrack RAT Activity