Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Sigma rule (View on GitHub)
1title: Import LDAP Data Interchange Format File Via Ldifde.EXE
2id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
3status: test
4description: |
5 Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
6references:
7 - https://twitter.com/0gtweet/status/1564968845726580736
8 - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
9 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
10author: '@gott_cyber'
11date: 2022/09/02
12modified: 2023/03/14
13tags:
14 - attack.command_and_control
15 - attack.defense_evasion
16 - attack.t1218
17 - attack.t1105
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\ldifde.exe'
24 - OriginalFileName: 'ldifde.exe'
25 selection_cli:
26 CommandLine|contains|all:
27 - '-i'
28 - '-f'
29 condition: all of selection_*
30falsepositives:
31 - Since the content of the files are unknown, false positives are expected
32level: medium
References
Related rules
- File Download Via Windows Defender MpCmpRun.EXE
- Password Protected ZIP File Opened (Suspicious Filenames)
- PrintBrm ZIP Creation of Extraction
- Greenbug Espionage Group Indicators
- Download from Suspicious Dyndns Hosts