ldap_scanning_outside_to_inside
Explanation
The ldap_scanning_outside_to_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning typically involves queries against LDAP servers to gather information about network resources and can be an early phase of an attack.
What to Look For
To detect and remediate the issue, customers should look for inbound LDAP scanning attempts from external IP addresses. LDAP, or Lightweight Directory Access Protocol, is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Customers should examine their network and endpoint logs to identify suspicious LDAP traffic. Once identified, customers should verify whether the LDAP scan was successful and if there was any unauthorized access to sensitive information. Immediate action should be taken to block the external IP and eliminate any security gaps that may have been exploited.
Related MITRE ATT&CK Categories
System Owner/User Discovery, Technique T1033 - Enterprise
Brute Force, Technique T1110 - Enterprise
Updated 4 days ago