ldap_scanning_outside_to_inside

Explanation

The ldap_scanning_outside_to_inside NDM is designed to detect LDAP scanning attempts originating from outside the network targeting LDAP servers residing inside the network. LDAP scanning typically involves queries against LDAP servers to gather information about network resources and can be an early phase of an attack.

What to Look For

To detect and remediate the issue, customers should look for inbound LDAP scanning attempts from external IP addresses. LDAP, or Lightweight Directory Access Protocol, is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Customers should examine their network and endpoint logs to identify suspicious LDAP traffic. Once identified, customers should verify whether the LDAP scan was successful and if there was any unauthorized access to sensitive information. Immediate action should be taken to block the external IP and eliminate any security gaps that may have been exploited.

Related MITRE ATT&CK Categories

System Owner/User Discovery, Technique T1033 - Enterprise
Brute Force, Technique T1110 - Enterprise
Network Denial of Service, Technique T1498 - Enterprise
Endpoint Denial of Service, Technique T1499 - Enterprise