Active Directory Structure Export Via Ldifde.EXE

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Sigma rule (View on GitHub)

 1title: Active Directory Structure Export Via Ldifde.EXE
 2id: 4f7a6757-ff79-46db-9687-66501a02d9ec
 3status: test
 4description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
 5references:
 6    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
 7    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
 8    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-03-14
11tags:
12    - attack.exfiltration
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_ldif:
18        - Image|endswith: '\ldifde.exe'
19        - OriginalFileName: 'ldifde.exe'
20    selection_cmd:
21        CommandLine|contains: '-f'
22    filter_import:
23        CommandLine|contains: ' -i'
24    condition: all of selection_* and not 1 of filter_*
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top