external_ldap_access

Explanation

The external_ldap_access NDM is designed to search for instances of non-customer network access of LDAP resources. This type of access can leave a network vulnerable to attackers attempting to gain unauthorized access to sensitive data.

What to Look For

To examine the results of the external_ldap_access event, look for instances of LDAP access outside of the customer network. This includes activity on network ports associated with LDAP (389 and 636), as well as any uncommon activity on those ports. Additionally, review logs for failed authentication attempts or unusual activity on directory servers. Remediation may involve disabling unnecessary LDAP services or configuring stronger authentication mechanisms.

Related MITRE ATT&CK Categories

Initial Access, Persistence: External Remote Services, Technique T1133 - Enterprise