This detection rule identifies potential misuse of specific LDAP attributes known for their association with the tool LDAPFragger, a tactical utility within the Cobalt Strike framework that utilizes LDAP for command and control (C2) communication. The focus is on three specific LDAP Attributes—'primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', and 'primaryTelexNumber'—which are not commonly employed by organizations in standard operations. The rule activates based on the presence of these attributes being accessed or modified in a directory service, specifically during events logged with Event ID 5136, which relates to directory service changes when proper auditing (via SACLs) is in place. The inclusion of these attributes in LDAP queries may suggest malicious intent, particularly if they deviate from normal operational use within a company. False positives are anticipated from legitimate business practices where organizations might naturally utilize these attributes for legitimate user information purposes. It's essential for security teams to contextualize alerts generated from this rule to minimize disruption to legitimate functions. Security measures related to LDAP traffic should also consider implementing tight controls to mitigate the risk of exploitation through LDAP-based tools like LDAPFragger.