ADSI-Cache File Creation By Uncommon Tool

calendar Oct 23, 2023 · attack.t1001.003 attack.command_and_control  ·
Share on: linkedin copy

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

Sigma rule (View on GitHub)

 1title: ADSI-Cache File Creation By Uncommon Tool
 2id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
 3status: test
 4description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
 5references:
 6    - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
 7    - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
 8    - https://github.com/fox-it/LDAPFragger
 9author: xknow @xknow_infosec, Tim Shelton
10date: 2019/03/24
11modified: 2023/10/18
12tags:
13    - attack.t1001.003
14    - attack.command_and_control
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection:
20        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
21        TargetFilename|endswith: '.sch'
22    filter_main_generic:
23        - Image|endswith:
24              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
25              - ':\Windows\CCM\CcmExec.exe'
26              - ':\windows\system32\dllhost.exe'
27              - ':\Windows\system32\dsac.exe'
28              - ':\Windows\system32\efsui.exe'
29              - ':\windows\system32\mmc.exe'
30              - ':\windows\system32\svchost.exe'
31              - ':\Windows\System32\wbem\WmiPrvSE.exe'
32              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
33        - Image|contains:
34              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
35              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
36    filter_main_office:
37        Image|contains|all:
38            - ':\Program Files\'
39            - '\Microsoft Office'
40        Image|endswith: '\OUTLOOK.EXE'
41    filter_optional_ldapwhoami:
42        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
43    filter_optional_citrix:
44        # Example:
45        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
46        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
47    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49    - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
50level: medium

References

Related rules

to-top