Active Directory Structure Export Via Csvde.EXE

 1title: Active Directory Structure Export Via Csvde.EXE
 2id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
 3status: test
 4description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
 5references:
 6    - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
 7    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 8    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
 9    - https://redcanary.com/blog/msix-installers/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-03-14
12tags:
13    - attack.exfiltration
14    - attack.discovery
15    - attack.t1087.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith: '\csvde.exe'
22        - OriginalFileName: 'csvde.exe'
23    selection_remote:
24        CommandLine|contains: ' -f'
25    filter_import:
26        CommandLine|contains: ' -i'
27    condition: all of selection_* and not 1 of filter_*
28falsepositives:
29    - Unknown
30level: medium

References

• Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms

  

  The highly-targeted attacks against aerospace and telecoms firms by new Iranian threat actor MalKamak includes newly discovered malware that evaded security tools since 2018 and abuses Dropbox services for command and control...

  
  Read More

• Wayback Machine

  COLLECTED BY Web archive data from a crawl of open access PDF URLs provided by Unpaywall. TIMESTAMPS The Wayback Machine - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-sec...

  
  Read More

• Deep Dive Into a BackdoorDiplomacy Attack – A Study of an Attacker’s Toolkit

  

  A China-linked cyber espionage operation targeting multiple telecom providers in the Middle East was recently discovered by Bitdefender Labs.

  
  Read More

• MSIX installer malware delivery on the rise - Red Canary

  

  Red Canary has detected multiple distinct adversaries leveraging MSIX installers to deliver a variety of malware payloads in recent months.

  
  Read More

Related rules

• AD Privileged Users or Groups Reconnaissance
• Active Directory Computers Enumeration With Get-AdComputer
• BloodHound Collection Files
• HackTool - Bloodhound/Sharphound Execution
• Malicious PowerShell Commandlets - PoshModule