LoFP / companies, who may use these default ldap-attributes for personal information

Techniques

• t1001
• t1001.003

Sample rules

Suspicious LDAP-Attributes Used

• source: sigma
• technicques:
  • t1001
  • t1001.003

Description

Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.

Detection logic

condition: selection
selection:
  AttributeLDAPDisplayName:
  - primaryInternationalISDNNumber
  - otherFacsimileTelephoneNumber
  - primaryTelexNumber
  AttributeValue|contains: '*'
  EventID: 5136