Active Directory Structure Export Via Csvde.EXE

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Sigma rule (View on GitHub)

 1title: Active Directory Structure Export Via Csvde.EXE
 2id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
 3status: test
 4description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
 5references:
 6    - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
 7    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
 8    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/03/14
11tags:
12    - attack.exfiltration
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\csvde.exe'
19        - OriginalFileName: 'csvde.exe'
20    selection_remote:
21        CommandLine|contains: ' -f'
22    filter_import:
23        CommandLine|contains: ' -i'
24    condition: all of selection_* and not 1 of filter_*
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top