Add LDAP firewall application rules

rules/application/ldap_firewall/ldap_firewall_bloodhound.yml

@@ -0,0 +1,36 @@
+title: BloodHound Collector
+id: 43f5e083-333c-494a-964c-6f80478a89e9
+status: experimental
+description: Detects BloodHound data collection
+references:
+    - https://bloodhound.readthedocs.io/en/latest/index.html
+    - https://github.com/zeronetworks/ldapfw
+    - https://zeronetworks.com/blog/ldap-firewall-level-up-your-dc-security/
+author: Dekel Paz, Sagie Dulce
+date: 2023/10/30
+modified: 2023/10/30
+tags:
+    - attack.discovery
+    - attack.t1087
+    - attack.t1482
+    - attack.t1615
+    - attack.t1201
+    - attack.t1069
+    - attack.t1018
+    - attack.t1033
+logsource:
+    product: ldap_firewall
+    category: application
+    definition: 'Requirements: install and apply the LDAP Firewall to all Domain Controllers in audit mode'
+detection:
+    selection:
+        EventLog: LDAPFW
+        EventID: 263
+        DN|contains:
+            - admincount
+            - userpassword
+            - msds-allowedToDelegateTo
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/application/ldap_firewall/ldap_firewall_laps.yml

@@ -0,0 +1,27 @@
+title: LAPS Password Harvesting
+id: 144cad53-25b8-43f1-8ec8-a0ef42335476
+status: experimental
+description: Detects attempts to access LAPS computer passwords
+references:
+    - https://github.com/zeronetworks/ldapfw
+    - https://zeronetworks.com/blog/ldap-firewall-level-up-your-dc-security/
+author: Dekel Paz, Sagie Dulce
+date: 2023/10/30
+modified: 2023/10/30
+tags:
+    - attack.privilege_escalation
+    - attack.t1078
+    - attack.t1078.003
+logsource:
+    product: ldap_firewall
+    category: application
+    definition: 'Requirements: install and apply the LDAP Firewall to all Domain Controllers in audit mode'
+detection:
+    selection:
+        EventLog: LDAPFW
+        EventID: 263
+        DN|contains: ms-Mcs-AdmPwd
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/application/ldap_firewall/ldap_firewall_name_impersonation.yml

@@ -0,0 +1,29 @@
+title: Computer Name Impersonation
+id: db821bd8-4f82-436b-841a-c6999a7da671
+status: experimental
+description: Detects LDAP Add operations of computer accounts without a trailing '$', which could indicate Name Impersonation for sAMAccountName spoofing
+references:
+    - https://www.thehacker.recipes/a-d/movement/kerberos/samaccountname-spoofing
+    - https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
+    - https://github.com/zeronetworks/ldapfw
+    - https://zeronetworks.com/blog/ldap-firewall-level-up-your-dc-security/
+author: Dekel Paz, Sagie Dulce
+date: 2023/10/30
+modified: 2023/10/30
+tags:
+    - attack.privilege_escalation
+    - attack.t1134
+    - attack.t1134.001
+logsource:
+    product: ldap_firewall
+    category: application
+    definition: 'Requirements: install and apply the LDAP Firewall to all Domain Controllers in audit mode'
+detection:
+    selection:
+        EventLog: LDAPFW
+        EventID: 261
+        EntryList|re: 'sAMAccountName:[^,$]*([,]{1}|$)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high