LDAP Nightmare (CVE-2024-49112) #5151
Comments
|
Welcome @devilman85 👋 It looks like this is your first issue on the Sigma rules repository! The following repository accepts issues related to If you're reporting an issue related to the pySigma library please consider submitting it here If you're reporting an issue related to the deprecated sigmac library please consider submitting it here Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃 |
|
can you move it to rule ideas |
|
@devilman85 I'm interested in researching this as well. Do you have a sample log by any chance and can you explain how did you reach the conclusion that this can be detected by error 52? |
|
[02-Jan-2025 10:15:30] LDAP Error 52: Unavailable EventID: 1644 |
Reading the cve in the subject I created this rule that you could include in your pool.... Please verify the correctness of the rule and also send me the changes and post it. Thank you for your attention
title: Rilevamento di tentativi di exploit per CVE-2024-49112 (LDAPNightmare)
id: b7f9e2d2-3c4a-4f8e-9a6e-2d3c4a5f8e9a
status: experimental
description: Rileva tentativi di sfruttamento della vulnerabilità CVE-2024-49112 nel servizio LDAP di Windows.
references:
author: Michele "Devilman" Boschetto
date: 2025/01/02
logsource:
product: windows
service: security
category: directory-service
detection:
selection:
EventID: 1644
LDAPResultCode: 52
condition: selection
falsepositives:
level: critical
tags:
tactics:
required_fields:
query: >
event.category == "directory-service" and
event.action == "error" and
EventID == 1644 and
LDAPResultCode == 52
integration:
The text was updated successfully, but these errors were encountered: