ADSI-Cache File Creation By Uncommon Tool
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Sigma rule (View on GitHub)
1title: ADSI-Cache File Creation By Uncommon Tool
2id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
3status: test
4description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
5references:
6 - https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
7 - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
8 - https://github.com/fox-it/LDAPFragger
9author: xknow @xknow_infosec, Tim Shelton
10date: 2019-03-24
11modified: 2023-10-18
12tags:
13 - attack.t1001.003
14 - attack.command-and-control
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
21 TargetFilename|endswith: '.sch'
22 filter_main_generic:
23 - Image|endswith:
24 - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
25 - ':\Windows\CCM\CcmExec.exe'
26 - ':\windows\system32\dllhost.exe'
27 - ':\Windows\system32\dsac.exe'
28 - ':\Windows\system32\efsui.exe'
29 - ':\windows\system32\mmc.exe'
30 - ':\windows\system32\svchost.exe'
31 - ':\Windows\System32\wbem\WmiPrvSE.exe'
32 - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
33 - Image|contains:
34 - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
35 - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
36 filter_main_office:
37 Image|contains|all:
38 - ':\Program Files\'
39 - '\Microsoft Office'
40 Image|endswith: '\OUTLOOK.EXE'
41 filter_optional_ldapwhoami:
42 Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
43 filter_optional_citrix:
44 # Example:
45 # TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
46 Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
47 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49 - Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
50level: medium
References
Related rules
- Suspicious LDAP-Attributes Used
- APT User Agent
- APT40 Dropbox Tool User Agent
- Activity from Anonymous IP Addresses
- Activity from Infrequent Country