Detect Outbound LDAP Traffic

Name:Detect Outbound LDAP Traffic
id:5e06e262-d7cd-4216-b2f8-27b437e18458
version:3
date:2024-10-17
author:Bhavin Patel, Johan Bjerke, Splunk
status:production
type:Hunting
Description:The following analytic identifies outbound LDAP traffic to external IP addresses. It leverages the Network_Traffic data model to detect connections on ports 389 or 636 that are not directed to private IP ranges (RFC1918). This activity is significant because outbound LDAP traffic can indicate potential data exfiltration or unauthorized access attempts. If confirmed malicious, attackers could exploit this to access sensitive directory information, leading to data breaches or further network compromise.
Data_source:

• -Bro

search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_ip) as dest_ip from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port = 389 OR All_Traffic.dest_port = 636 AND NOT (All_Traffic.dest_ip = 10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip = 172.16.0.0/12) by All_Traffic.src_ip All_Traffic.dest_ip |`drop_dm_object_name("All_Traffic")`
| where src_ip != dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` |`detect_outbound_ldap_traffic_filter`

how_to_implement:In order to properly run this search, Splunk needs to ingest data from Next Generation Firewalls like Palo Alto Networks Firewalls or other network control devices that mediate the traffic allowed into an environment. The search requires the Network_Traffic data model to be populated.
known_false_positives:Unknown at this moment. Outbound LDAP traffic should not be allowed outbound through your perimeter firewall. Please check those servers to verify if the activity is legitimate.
References:
  -https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Log4Shell CVE-2021-44228'
  asset_type:Endpoint
  confidence:80
  cve:
    - 'CVE-2021-44228'
  impact:70
  message:An outbound LDAP connection from $src_ip$ in your infrastructure connecting to dest ip $dest_ip$
  mitre_attack_id:
    - 'T1190'
    - 'T1059'
  observable:
    name:'src_ip'
    type:'IP Address'
    - role:
      - 'Victim'
    name:'dest_ip'
    type:'IP Address'
    - role:
      - 'Attacker'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'All_Traffic.dest_ip'
    - 'All_Traffic.dest_port'
    - 'All_Traffic.src_ip'
  risk_score:56
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/log4shell_ldap_traffic/pantraffic.log
  sourcetype: pan:traffic
  source: pan:traffic
manual_test:None