T1087.002 Active Directory Structure Export Via Ldifde

T1087.002 - Active Directory Structure Export Via Ldifde.EXE

DESCRIPTION

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Example:

"C:\Windows\system32\ldifde.exe" -f -n eprod.ldf

Related

LOLBins Discovery

Reference:

https://github.com/SigmaHQ/sigma/blob/583f08ecaca532c7bff6e56e73c2e25c5b184796/rules/windows/process_creation/proc_creation_win_ldifde_export.yml#L18
https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

ATT&CK TACTICS

T1087.002 - Account Discovery: Domain Account

Data Source(s): Command, Process

SENTINEL RULE QUERY

DeviceProcessEvents 
| where FolderPath endswith @"\ldifde.exe" or ProcessVersionInfoOriginalFileName == "ldifde.exe" 
| where ProcessCommandLine contains "-f" and not(ProcessCommandLine contains " -i")
//| summarize count(), num_distinctDevices = dcount(DeviceName), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine), first_ = min(TimeGenerated), last_ = max(TimeGenerated) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId 

Triage

1. Remove the comment "//" in 'summarize' statement in above KQL to assist in analysis and removing data duplicates.
2. Examine the FolderPath and the command-line whether the activity is suspicious
3. Inspect if the activity was expected and approved

FalsePositive

Legitimate and approved use

VERSION

Version 1.0 (date: 20/03/2024)