Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

ADSI-Cache File Creation By Uncommon Tool

Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
xknow, Tim SheltonCreated Sun Mar 24Updated Wed Oct 1875bf09fa-1dd7-4d18-9af9-dd9e492562ebwindows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic5 selectors
detection:
    selection:
        TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
        TargetFilename|endswith: '.sch'
    filter_main_generic:
        - Image|endswith:
              - ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
              - ':\Windows\CCM\CcmExec.exe'
              - ':\windows\system32\dllhost.exe'
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\efsui.exe'
              - ':\windows\system32\mmc.exe'
              - ':\windows\system32\svchost.exe'
              - ':\Windows\System32\wbem\WmiPrvSE.exe'
              - ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains:
              - ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
              - ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
    filter_main_office:
        Image|contains|all:
            - ':\Program Files\'
            - '\Microsoft Office'
        Image|endswith: '\OUTLOOK.EXE'
    filter_optional_ldapwhoami:
        Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
    filter_optional_citrix:
        # Example:
        #   TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
        Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.

References
1
Resolving title…
medium.com
2
Resolving title…
blog.fox-it.com
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
75bf09fa-1dd7-4d18-9af9-dd9e492562eb
Status
test
Level
medium
Type
Detection
Created
Sun Mar 24
Modified
Wed Oct 18
Author
xknow, Tim Shelton
Path
rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml
Raw Tags
attack.t1001.003attack.command-and-control
View on GitHub