Sigma Rule Update (2025-01-09 20:14:58) (#804)

Co-authored-by: hach1yon <[email protected]>
Yamato-Security · Jan 9, 2025 · ddfed3c · ddfed3c
1 parent 1dee2d9
commit ddfed3c
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/...4/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml b/...4/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml
@@ -0,0 +1,36 @@
+title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
+id: 1117f6c7-1c68-9c6e-c3e8-191e9d687387
+related:
+    - id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
+      type: derived
+status: experimental
+description: |
+    Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
+references:
+    - https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
+    - https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
+author: Samuel Monsempes
+date: 2025-01-08
+tags:
+    - attack.impact
+    - attack.t1499
+    - cve.2024-49113
+    - detection.emerging-threats
+logsource:
+    product: windows
+    service: application
+    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
+detection:
+    application:
+        Channel: Application
+    selection:
+        Provider_Name: Application Error
+        EventID: 1000
+        Data|contains|all:
+            - lsass.exe
+            - WLDAP32.dll
+    condition: application and selection
+falsepositives:
+    - Unknown
+level: high
+ruletype: Sigma