https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/1000971#M7688 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/919986371">@RPathivada</a>&nbsp;, official response is:<BR /><BR /></P> <P>"...there is currently no Proof of Concept (PoC) available for this CVE, which means coverage is not possible at this time. However, it has been added to our monitoring list, and coverage will be implemented as soon as a valid PoC is identified."<BR /><BR /></P> <P>For more details, you can refer to this article: <BR />[Knowledge Base Article](<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAOnCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAOnCAO</A>)<BR /><BR /></P> Wed, 08 Jan 2025 18:36:08 GMT tlmarques 2025-01-08T18:36:08Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/999972#M7646 <P>Hi ,&nbsp;</P> <P>How to check for the below actions in xql builder.</P> <P>please help in developing a query&nbsp;</P> <P>&nbsp;</P> <OL class="wp-block-list"> <LI>The attacker sends a DCE/RPC request to the Victim Server Machine</LI> <LI>The Victim is triggered to send a DNS SRV query about SafeBreachLabs.pro</LI> <LI>The Attacker’s DNS server responds with the Attacker’s hostname machine and LDAP port&nbsp;</LI> <LI>The Victim sends a broadcast NBNS request to find the IP address of the received hostname (of the Attacker’s)</LI> <LI>The Attacker sends an NBNS response with its IP Address</LI> <LI>The Victim becomes an LDAP client and sends a CLDAP request to the Attacker’s machine</LI> <LI>The Attacker sends a CLDAP referral response packet with a specific value resulting in LSASS to crash and force a reboot of the Victim server</LI> </OL> Thu, 02 Jan 2025 12:37:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/999972#M7646 RPathivada 2025-01-02T12:37:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/1000789#M7684 <P>I've open a administrative case for get informations about XDR and if XDR prevent the attack and how we can search on XQL.</P> Wed, 08 Jan 2025 15:40:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/1000789#M7684 tlmarques 2025-01-08T15:40:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/1000971#M7688 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/919986371">@RPathivada</a>&nbsp;, official response is:<BR /><BR /></P> <P>"...there is currently no Proof of Concept (PoC) available for this CVE, which means coverage is not possible at this time. However, it has been added to our monitoring list, and coverage will be implemented as soon as a valid PoC is identified."<BR /><BR /></P> <P>For more details, you can refer to this article: <BR />[Knowledge Base Article](<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAOnCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAOnCAO</A>)<BR /><BR /></P> Wed, 08 Jan 2025 18:36:08 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept/m-p/1000971#M7688 tlmarques 2025-01-08T18:36:08Z