Detection rules › Splunk
Potential CVE-2024-49113 - LDAPNightmare (Windows Event Log)
SafeBreach Labs revealed a PoC for CVE-2024-49113, codenamed LDAPNightmare. The PoC is designed to crash any unpatched Windows Server with no prerequisites except that the DNS server of the victim domain controller has internet connectivity. This use case detects potential Windows LDAP Denial of Service Vulnerability events involving lsass.exe and the WLDAP32.dll module in application errors. Windows Application event 1000 is required for detection.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1499 Endpoint Denial of Service |
References
- https://github.com/SafeBreach-Labs/CVE-2024-49112?tab=readme-ov-file
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://github.com/SigmaHQ/sigma/pull/5155/files
Event coverage
| Provider | Event |
|---|---|
| Application-Error | Event ID 1000 |
Rule body yaml
id: '40834.75130'
title: Potential CVE-2024-49113 - LDAPNightmare
description: SafeBreach Labs revealed a PoC for CVE-2024-49113, codenamed LDAPNightmare.
The PoC is designed to crash any unpatched Windows Server with no prerequisites
except that the DNS server of the victim domain controller has internet connectivity.
This use case detects potential Windows LDAP Denial of Service Vulnerability events
involving lsass.exe and the WLDAP32.dll module in application errors. Windows Application
event 1000 is required for detection.
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=1000) OR
"<EventID>1000<") "lsass.exe" "WLDAP32.dll" | table _time, host, user user, process,
process_*, parent_* | bin span=1s | stats values(*) as * by _time, host '
techniques:
- impact:endpoint denial of service
technique_id:
- T1499
data_category:
- Windows event logs
references:
- https://github.com/SafeBreach-Labs/CVE-2024-49112?tab=readme-ov-file
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112
- https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7
- https://github.com/SigmaHQ/sigma/pull/5155/files
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=1000) OR "<EventID>1000<") "lsass.exe" "WLDAP32.dll"
Stage 2: table
| table _time, host, user user, process, process_*, parent_*
Stage 3: bucket
| bin span=1s
Stage 4: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1000<" |
| 1 | "lsass.exe" |
| 1 | "WLDAP32.dll" |