Techniques
Sample rules
ADSI-Cache File Creation By Uncommon Tool
- source: sigma
- technicques:
- t1001
- t1001.003
Description
Detects the creation of an “Active Directory Schema Cache File” (.sch) file by an uncommon tool.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
- Image|endswith:
- :\Program Files\Cylance\Desktop\CylanceSvc.exe
- :\Windows\CCM\CcmExec.exe
- :\windows\system32\dllhost.exe
- :\Windows\system32\dsac.exe
- :\Windows\system32\efsui.exe
- :\windows\system32\mmc.exe
- :\windows\system32\svchost.exe
- :\Windows\System32\wbem\WmiPrvSE.exe
- :\windows\system32\WindowsPowerShell\v1.0\powershell.exe
- Image|contains:
- :\Windows\ccmsetup\autoupgrade\ccmsetup
- :\Program Files\SentinelOne\Sentinel Agent
filter_main_office:
Image|contains|all:
- :\Program Files\
- \Microsoft Office
Image|endswith: \OUTLOOK.EXE
filter_optional_citrix:
Image|endswith: :\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe
filter_optional_ldapwhoami:
Image|endswith: \LANDesk\LDCLient\ldapwhoami.exe
selection:
TargetFilename|contains: \Local\Microsoft\Windows\SchCache\
TargetFilename|endswith: .sch