Suspicious LDAP-Attributes Used

 1title: Suspicious LDAP-Attributes Used
 2id: d00a9a72-2c09-4459-ad03-5e0a23351e36
 3status: test
 4description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
 5references:
 6    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
 7    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
 8    - https://github.com/fox-it/LDAPFragger
 9author: xknow @xknow_infosec
10date: 2019-03-24
11modified: 2022-10-05
12tags:
13    - attack.t1001.003
14    - attack.command-and-control
15logsource:
16    product: windows
17    service: security
18    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
19detection:
20    selection:
21        EventID: 5136
22        AttributeValue|contains: '*'
23        AttributeLDAPDisplayName:
24            - 'primaryInternationalISDNNumber'
25            - 'otherFacsimileTelephoneNumber'
26            - 'primaryTelexNumber'
27    condition: selection
28falsepositives:
29    - Companies, who may use these default LDAP-Attributes for personal information
30level: high

References

• Detecting LDAPFragger — A newly released Cobalt Strike Beacon using LDAP for C2 communication…

  

  Goals:

  
  Read More

• LDAPFragger: Command and Control over LDAP attributes

  

  Written by Rindert Kramer Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to t…

  
  Read More

• GitHub - fox-it/LDAPFragger

  

  Contribute to fox-it/LDAPFragger development by creating an account on GitHub.

  
  Read More

Related rules

• ADSI-Cache File Creation By Uncommon Tool
• APT User Agent
• APT40 Dropbox Tool User Agent
• Activity from Anonymous IP Addresses
• Activity from Infrequent Country