Discovery of misconfigured certificate templates using LDAP

Cortex XDR Analytics Alert Reference by data source
Last date published
2024-04-15
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent
  • Requires:
    • eXtended Threat Hunting (XTH)

Detection Modules

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

File and Directory Discovery (T1083)

Severity

Medium

Description

An LDAP query searching for misconfigured certificate templates was executed.

Attacker's Goals

An attacker can use misconfigured certificate templates for escalation and authentication.

Investigative actions

  • Check if the LDAP search query was allowed for the user (logged on at event time) or process.
  • Investigate the LDAP search query for any suspicious indicators.