Case of unexplained LDAP requests

Posted by zine on

In this post, I will explain how I troubleshoot unusual LDAP requests on the network.

The case:

A computer member of windows domain is sending LDAP requests massively and constantly on the network, to all the domain controllers of all sites.

The computer is located on site A (Subunet 192.168.1.0/24) and sends UDP packets on port 389 to the domain controllers located on the following sites:

– B (subnet: 192.168.2.0/24)

– C (Subnet: 192.168.3.0/24)

– D (Subnet: 192.168.4.0/24)

The requests appear on the enterprise Firewall, and the IT manager of one of the remote sites, starts complaining about this unusual UDP packets sends to his domain controllers. So I decided to find out what is causing these massive LDAP requests.

Kerio_ldap_modif

The investigation:

In the firewall, I’ve terminated all the UDP requests on port 389 (LDAP) initiated by the host 192.168.1.89. I started Process Monitor (procmon) and waited until the host starts sending UDP packets to the domain controllers. After that, I stopped the procmon’s capture and started my investigation.

The big question was: which process is sending this LDAP requests? And why is it doing it?

So in process monitor, I set a filter on the Path column that contains 389 value.

Filter_path_389

The result of applying the filter is the following:

NB: for confidentiality reasons I hid the original IP addresses and assume that subnets are 192.168.x.x

Filter_path_389_result1

We can notice that the “Lsass.exe” process is sending UDP requests on port 389 to the local and remote domain controllers.

What is lsass.exe process in fact? Lsass.exe for Local Security Authority Subsystem is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log (https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service).

So now we have to find which process is calling lsass.exe to authenticate on the domain controllers?

The answer is found above in the trace.

lsaas_read_sophos_regkey

The lsass.exe process is accessing a registry key “SophosSAUALGUCT120000” which is in fact the concatenation of “SophosSAU” for Sophos Antivirus Update program and the NetBIOS name of the Windows PC.

Having this clue between hands, I stopped the Sophos Update service from the service manager and observe if there is any LDAP request sent. And there was no LDAP query sent for a while. But when I start the Sophos Update Service the LDAP reappears quickly.

The culprit was found, but what was causing Sophos Update Service sending this unusual LDAP requests? After having a deep look at the Sophos installation in the PC it revealed the installation was damaged. After reinstalling the Sophos antivirus again the problem was solved.

Conclusion:

Without tools like Process monitor, it would be difficult to troubleshoot this kind of issues.

Share this article
      

Leave a Reply