ldap_scanning_inside_to

Explanation

This NDM is designed to detect LDAP scanning that is exiting the customer's network. LDAP is an open protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. The NDM triggers on LDAP scanning that may be indicative of an infection and an attacker using a compromised machine on the customer network to pivot further outside of the network.

What to Look For

To analyze the results of this NDM event, customers should look for any outbound LDAP scanning traffic leaving their networks. LDAP scanning essentially involves seeking out LDAP services and then attempting to authenticate as a valid user. It can be used to gain access to sensitive information and credentials. Any endpoints exhibiting this behavior should be thoroughly investigated and their access credentials should be audited and changed as necessary. Additionally, customers should review their security policies and configurations to ensure LDAP-related services are not publicly accessible and that access is controlled based on the principle of least privilege.

Related MITRE ATT&CK Categories

System Owner/User Discovery, Technique T1033 - Enterprise
Brute Force, Technique T1110 - Enterprise
Network Denial of Service, Technique T1498 - Enterprise
Endpoint Denial of Service, Technique T1499 - Enterprise