ldap_scanning_internal

Explanation

This NDM was written by the Netography Threat Research team to detect unauthorized LDAP scanning activity within a customer's network.

What to Look For

When examining the results of the ldap_scanning_internal event, it is important to look for any activity that is indicative of LDAP scanning. LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information services, such as Active Directory. LDAP scanning involves searching for and querying specific LDAP attributes and can be used to gather information about users and system configurations.

If LDAP scanning activity is detected, it may be the result of an attacker attempting to gather information for a future attack or to exploit vulnerabilities in the LDAP system.

Customers should ensure that authorized LDAP scanners, such as network monitors, are added to the "Discard" function in this NDM to avoid triggering false positives. It's important to remediate any unauthorized LDAP scanning activity as it could be an indication of a potential attack or data breach.

Related MITRE ATT&CK Categories

System Owner/User Discovery, Technique T1033 - Enterprise

Brute Force, Technique T1110 - Enterprise

Network Denial of Service, Technique T1498 - Enterprise

Endpoint Denial of Service, Technique T1499 - Enterprise