DNS Server Discovery Via LDAP Query

 1title: DNS Server Discovery Via LDAP Query
 2id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
 3status: experimental
 4description: Detects DNS server discovery via LDAP query requests from uncommon applications
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
 7    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
 8author: frack113
 9date: 2022/08/20
10modified: 2023/09/18
11tags:
12    - attack.discovery
13    - attack.t1482
14logsource:
15    product: windows
16    category: dns_query
17detection:
18    selection:
19        QueryName|startswith: '_ldap.'
20    filter_main_generic:
21        Image|contains:
22            - ':\Program Files\'
23            - ':\Program Files (x86)\'
24            - ':\Windows\'
25    filter_main_defender:
26        Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
27        Image|endswith: '\MsMpEng.exe'
28    filter_main_unknown:
29        Image: '<unknown process>'
30    filter_optional_azure:
31        Image|startswith: 'C:\WindowsAzure\GuestAgent'
32    filter_main_null:
33        Image: null
34    filter_optional_browsers:
35        # Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
36        Image|endswith:
37            - '\chrome.exe'
38            - '\firefox.exe'
39            - '\opera.exe'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Likely
43# Note: Incrase the level once a baseline is established
44level: low