Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Nightmare (CVE-2024-49112) #5151

Open
devilman85 opened this issue Jan 2, 2025 · 5 comments
Open

LDAP Nightmare (CVE-2024-49112) #5151

devilman85 opened this issue Jan 2, 2025 · 5 comments
Assignees

Comments

@devilman85
Copy link

Reading the cve in the subject I created this rule that you could include in your pool.... Please verify the correctness of the rule and also send me the changes and post it. Thank you for your attention

title: Rilevamento di tentativi di exploit per CVE-2024-49112 (LDAPNightmare)
id: b7f9e2d2-3c4a-4f8e-9a6e-2d3c4a5f8e9a
status: experimental
description: Rileva tentativi di sfruttamento della vulnerabilità CVE-2024-49112 nel servizio LDAP di Windows.
references:

  • https://www.cve.org/CVERecord?id=CVE-2024-49112
  • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112
    author: Michele "Devilman" Boschetto
    date: 2025/01/02
    logsource:
    product: windows
    service: security
    category: directory-service
    detection:
    selection:
    EventID: 1644
    LDAPResultCode: 52
    condition: selection
    falsepositives:
  • Operazioni LDAP legittime che generano errori specifici; è necessario verificare il contesto.
    level: critical
    tags:
  • attack.privilege_escalation
  • attack.credential_access
  • attack.initial_access
  • cve.cve-2024-49112
  • protocol.ldap
    tactics:
  • Privilege Escalation
  • Credential Access
  • Initial Access
    required_fields:
  • EventID
  • LDAPResultCode
    query: >
    event.category == "directory-service" and
    event.action == "error" and
    EventID == 1644 and
    LDAPResultCode == 52
    integration:
  • Windows
  • System
Copy link
Contributor

github-actions bot commented Jan 2, 2025

Welcome @devilman85 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

@devilman85
Copy link
Author

can you move it to rule ideas

@DanielKoifman
Copy link

@devilman85 I'm interested in researching this as well. Do you have a sample log by any chance and can you explain how did you reach the conclusion that this can be detected by error 52?
Thanks!

@devilman85
Copy link
Author

[02-Jan-2025 10:15:30] LDAP Error 52: Unavailable
Client: 192.168.1.100
Request:
Operation: ModifyRequest
DN: CN=John Doe,OU=Users,DC=example,DC=com
Details: Unable to contact directory service due to missing dependency.

EventID: 1644
Source: Microsoft-Windows-ActiveDirectory_DomainService
Task Category: LDAP Interface
Level: Warning
Message:
LDAP request processing error.
LDAPResultCode: 52 (Unavailable)
Request DN: CN=John Doe,OU=Users,DC=example,DC=com
Operation: SearchRequest
Client IP: 192.168.1.100
Server IP: 192.168.1.200

@devilman85
Copy link
Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants