Skip to main content

LDAP Ping Operations Use Case

LDAP Ping is a Microsoft Active Directory specific Lightweight Directory Access Protocol (LDAP) or Connection-less Lightweight Directory Access Protocol (CLDAP) search that returns information about whether services are live on a domain controller. It also returns information about the existence of queried Active Directory accounts. The LDAP Ping operation enables Threat Prevention to monitor and block unwanted LDAP Ping activity, which is anonymous.

Threat Prevention can be configured to monitor and block LDAP Nom Nom, which is a tool that performs an anonymous bruteforce attack to find user names in Active Directory from domain controllers by using LDAP Ping requests.

When you create a policy with the LDAP Monitoring Event Type or the LDAP Lockdown Event Type, the LDAP filter allows you to enable the LDAP Ping option.

LDAP filter for the LDAP Monitoring and LDAP Lockdown event types

Configure the LDAP Query Filter for LDAP Ping

The primary use case for LDAP Ping monitoring and blocking is to detect queries that contain user=. Queries with User= pose a risk because they can leak information about which accounts exist or don't exist in your environment. Since LDAP Ping queries are anonymous, they could come from a malicious user.

LDAP Nom Nom Security Threat

LDAP Nom Nom is a known attack tool that takes advantage of this security weakness. Current versions of LDAP Nom Nom will generate a query that begins with:

'(&(NtVer=0x6)(AAC=16)(User='

On the LDAP Query filter tab, include one of the following LDAP query strings to detect an LDAP Nom Nom security threat:

  • user= – Including this filter string will report any query asking about the existence of a user

    note

    A drawback of this filter string is that it may return queries that are automatically generated by Windows and not a security threat.

  • (&(NtVer=0x6)(AAC=16)(User=' – Including this filter string will return only those queries generated by the currently-known version of LDAP Nom Nom

    note

    The LDAP Nom Nom version could change, so User= will provide the best detection despite the risk of returning false positives such as native Windows activity.