Docs

external_ldap_access

Suggest Edits

Explanation

The external_ldap_access NDM is designed to search for instances of non-customer network access of LDAP resources. This type of access can leave a network vulnerable to attackers attempting to gain unauthorized access to sensitive data.

What to Look For

To examine the results of the external_ldap_access event, look for instances of LDAP access outside of the customer network. This includes activity on network ports associated with LDAP (389 and 636), as well as any uncommon activity on those ports. Additionally, review logs for failed authentication attempts or unusual activity on directory servers. Remediation may involve disabling unnecessary LDAP services or configuring stronger authentication mechanisms.

Related MITRE ATT&CK Categories

Account Discovery, Techniques T1087

Domain Trust Discovery, Techniques T1482

Group Policy Discovery, Techniques T1615

Permission Groups Discovery, Techniques T1069

Remote System Discovery, Techniques T1018

Updated 4 days ago