Active Directory Structure Export Via Ldifde.EXE

 1title: Active Directory Structure Export Via Ldifde.EXE
 2id: 4f7a6757-ff79-46db-9687-66501a02d9ec
 3status: test
 4description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
 5references:
 6    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
 7    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-03-14
11tags:
12    - attack.exfiltration
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_ldif:
18        - Image|endswith: '\ldifde.exe'
19        - OriginalFileName: 'ldifde.exe'
20    selection_cmd:
21        CommandLine|contains: '-f'
22    filter_import:
23        CommandLine|contains: ' -i'
24    condition: all of selection_* and not 1 of filter_*
25falsepositives:
26    - Unknown
27level: medium

References

• Deep Dive Into a BackdoorDiplomacy Attack – A Study of an Attacker’s Toolkit

  

  A China-linked cyber espionage operation targeting multiple telecom providers in the Middle East was recently discovered by Bitdefender Labs.

  
  Read More

• DocumentCloud

  
  Read More

• Ldifde

  

  Ldifde Article 08/31/2016 Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8 Creates, modifies, and deletes d...

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• AWS EC2 VM Export Failure
• AWS RDS Master Password Change
• AWS S3 Data Management Tampering
• AWS Snapshot Backup Exfiltration