Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Import LDAP Data Interchange Format File Via Ldifde.EXE

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@gott_cyberCreated Fri Sep 02Updated Tue Mar 146f535e01-ca1f-40be-ab8d-45b19c0c8b7fwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\ldifde.exe'
        - OriginalFileName: 'ldifde.exe'
    selection_cli:
        CommandLine|contains|all:
            - '-i'
            - '-f'
    condition: all of selection_*
False Positives

Since the content of the files are unknown, false positives are expected

References
1
Resolving title…
twitter.com
2
Resolving title…
strontic.github.io
3
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
Status
test
Level
medium
Type
Detection
Created
Fri Sep 02
Modified
Tue Mar 14
Author
@gott_cyber
Path
rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml
Raw Tags
attack.command-and-controlattack.defense-evasionattack.t1218attack.t1105
View on GitHub