Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Sigma rule (View on GitHub)
1title: Active Directory Structure Export Via Ldifde.EXE
2id: 4f7a6757-ff79-46db-9687-66501a02d9ec
3status: test
4description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
5references:
6 - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
7 - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
8 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/03/14
11tags:
12 - attack.exfiltration
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_ldif:
18 - Image|endswith: '\ldifde.exe'
19 - OriginalFileName: 'ldifde.exe'
20 selection_cmd:
21 CommandLine|contains: '-f'
22 filter_import:
23 CommandLine|contains: ' -i'
24 condition: all of selection_* and not 1 of filter_*
25falsepositives:
26 - Unknown
27level: medium
References
-
A China-linked cyber espionage operation targeting multiple telecom providers in the Middle East was recently discovered by Bitdefender Labs.
Read More
Related rules
- DNS Exfiltration and Tunneling Tools Execution
- Tap Driver Installation
- Tap Driver Installation - Security
- Tap Installer Execution
- PUA - Rclone Execution