LDAP Nightmare (CVE-2024-49112)

[devilman85]

Reading the cve in the subject I created this rule that you could include in your pool.... Please verify the correctness of the rule and also send me the changes and post it. Thank you for your attention

title: Rilevamento di tentativi di exploit per CVE-2024-49112 (LDAPNightmare)
id: b7f9e2d2-3c4a-4f8e-9a6e-2d3c4a5f8e9a
status: experimental
description: Rileva tentativi di sfruttamento della vulnerabilità CVE-2024-49112 nel servizio LDAP di Windows.
references:

• https://www.cve.org/CVERecord?id=CVE-2024-49112
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112
  author: Michele "Devilman" Boschetto
  date: 2025/01/02
  logsource:
  product: windows
  service: security
  category: directory-service
  detection:
  selection:
  EventID: 1644
  LDAPResultCode: 52
  condition: selection
  falsepositives:
• Operazioni LDAP legittime che generano errori specifici; è necessario verificare il contesto.
  level: critical
  tags:
• attack.privilege_escalation
• attack.credential_access
• attack.initial_access
• cve.cve-2024-49112
• protocol.ldap
  tactics:
• Privilege Escalation
• Credential Access
• Initial Access
  required_fields:
• EventID
• LDAPResultCode
  query: >
  event.category == "directory-service" and
  event.action == "error" and
  EventID == 1644 and
  LDAPResultCode == 52
  integration:
• Windows
• System

[github-actions]

Welcome @devilman85 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

[devilman85]

can you move it to rule ideas

[DanielKoifman]

@devilman85 I'm interested in researching this as well. Do you have a sample log by any chance and can you explain how did you reach the conclusion that this can be detected by error 52?
Thanks!

[devilman85]

[02-Jan-2025 10:15:30] LDAP Error 52: Unavailable
Client: 192.168.1.100
Request:
Operation: ModifyRequest
DN: CN=John Doe,OU=Users,DC=example,DC=com
Details: Unable to contact directory service due to missing dependency.

EventID: 1644
Source: Microsoft-Windows-ActiveDirectory_DomainService
Task Category: LDAP Interface
Level: Warning
Message:
LDAP request processing error.
LDAPResultCode: 52 (Unavailable)
Request DN: CN=John Doe,OU=Users,DC=example,DC=com
Operation: SearchRequest
Client IP: 192.168.1.100
Server IP: 192.168.1.200

[devilman85]

i've modify the code
Detection of exploitation attempts for CVE-2024-49112 (LDAPNightmare).zip