The LDAP Whitespace Problem | Huntress
ATT&CK techniques detected
T1087.002Domain Account
82%
"useraccountcontrol & 524288 ' this worked in my lab where i was using the same tool in the same way every time. " ship it to production! " i said. " it ' s bulletproof! " i said. 30 % hit rate in production. i spent three days thinking our siem was broken. spoiler : it wasn ' t. …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1087.002Domain Account
62%
"##4288 ) ( useraccountcontrol & 524288 ) look at that mess. look at it. that ' s the same exact query, six different ways. why does this happen? look back at our flow diagram — the transformation happens in the ldap service layer, but the exact spacing depends on : - how the orig…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1654Log Enumeration
52%
": - ( msds - allowedtodelegateto = * ) - ( msds - allowedtoactonbehalfofotheridentity = * ) selection _ excl _ 8192 : winlog. event _ data. ldapfilter | contains : - (! ( useraccountcontrol & 8192 ) ) - (! ( useraccountcontrol & 8192 ) ) - (! ( useraccountcontrol & 8192 ) ) selec…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Your LDAP detection rules work in the lab but fail in production. Here's why Event 1644 whitespace variations break your Sigma rules and how to fix them.