Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Example:
"C:\Windows\system32\ldifde.exe" -f -n eprod.ldf
Related
LOLBins Discovery
Reference:
https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/process_creation/proc_creation_win_ldifde_export.yml#L18
https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
{{ mitre("T1087.002")}}
Data Source(s): Command, Process
DeviceProcessEvents
| where FolderPath endswith @"\ldifde.exe" or ProcessVersionInfoOriginalFileName == "ldifde.exe"
| where ProcessCommandLine contains "-f" and not(ProcessCommandLine contains " -i")
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId
- Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
- Examine the FolderPath and the command-line whether the activity is suspicious
- Inspect if the activity was expected and approved
Legitimate and approved use
Version 1.0 (date: 20/03/2024)