DNS Server Discovery Via LDAP Query

Severity: low
Author: frack113
Source: upstream

Detects DNS server discovery via LDAP query requests from uncommon applications

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1482` Domain Trust Discovery

Event coverage

Provider	Event ID	Title
Sysmon	22	DNSEvent (DNS query)

Stages and Predicates

Stage 1: `selection`

QueryName|startswith: _ldap.

Stage 2: `not 1 of filter_main_*`

or:
Image|endswith: '\MsMpEng.exe'
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image: '<unknown process>'
Image: null
Image|contains: ':\Program Files (x86)\'
Image|contains: ':\Program Files\'
Image|contains: ':\Windows\'

Stage 3: `not 1 of filter_optional_*`

or:
Image|endswith: '\chrome.exe'
Image|endswith: '\firefox.exe'
Image|endswith: '\opera.exe'
Image|startswith: 'C:\WindowsAzure\GuestAgent'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\MsMpEng.exe` corpus 13 (sigma 13) `\chrome.exe` corpus 11 (sigma 11) `\firefox.exe` corpus 6 (sigma 6) `\opera.exe` corpus 21 (sigma 21)
`Image`	eq	`<unknown process>` corpus 2 (sigma 2)
`Image`	match	`:\Program Files (x86)\` corpus 4 (sigma 4) `:\Program Files\` corpus 6 (sigma 6) `:\ProgramData\Microsoft\Windows Defender\Platform\` corpus 2 (sigma 2) `:\Windows\`
`Image`	starts_with	`C:\WindowsAzure\GuestAgent`
`QueryName`	starts_with	`_ldap.`