{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ldap/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["low"],"_cs_tags":["active_directory","ldap","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis rule identifies read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information. The rule focuses on event code 4662, filtering for \u0026lsquo;Read Property\u0026rsquo; access where the number of properties accessed is greater than or equal to 2000. The rule is designed to detect potential reconnaissance activities within an Active Directory environment, providing security teams with insights into unusual access patterns that may indicate malicious intent. This detection logic helps security teams proactively identify and respond to potential threats targeting Active Directory environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the target network, possibly through compromised credentials or a phishing attack (not directly covered in the provided source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised account to query Active Directory via LDAP.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a series of LDAP queries, requesting a large number of attributes for various Active Directory objects, triggering event ID 4662.\u003c/li\u003e\n\u003cli\u003eThe event logs record the excessive number of read property accesses (winlog.event_data.Properties), exceeding the threshold of 2000.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify potential targets, such as privileged accounts, sensitive data stores, or vulnerable systems.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to elevate privileges by exploiting identified vulnerabilities or misconfigurations within Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to access sensitive information or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gather sensitive information about the Active Directory environment, identify potential vulnerabilities, elevate privileges, and move laterally within the network. This can lead to data breaches, system compromise, and significant disruption to business operations. The number of victims and sectors targeted are dependent on the scope and objectives of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Access to generate the necessary events (event code 4662) as mentioned in the setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Access to LDAP Attributes\u0026rdquo; to your SIEM and tune the threshold (length(winlog.event_data.Properties) \u0026gt;= 2000) for your environment.\u003c/li\u003e\n\u003cli\u003eReview event logs for event code 4662, focusing on the \u003ccode\u003ewinlog.event_data.Properties\u003c/code\u003e field, to understand which attributes were accessed.\u003c/li\u003e\n\u003cli\u003eInvestigate the source machine from which the LDAP queries originated by examining the \u003ccode\u003ewinlog.event_data.SubjectUserSid\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-suspicious-ldap-attributes/","summary":"The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.","title":"Suspicious Access to LDAP Attributes","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-ldap-attributes/"}],"language":"en","title":"CraftedSignal Threat Feed — Ldap","version":"https://jsonfeed.org/version/1.1"}