← Back to Explore
sigmamediumHunting
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Detection Query
selection_img:
- Image|endswith: \ldifde.exe
- OriginalFileName: ldifde.exe
selection_cli:
CommandLine|contains|all:
- -i
- -f
condition: all of selection_*
Author
@gott_cyber
Created
2022-09-02
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.command-and-controlattack.defense-evasionattack.t1218attack.t1105
Raw Content
title: Import LDAP Data Interchange Format File Via Ldifde.EXE
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
status: test
description: |
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
references:
- https://twitter.com/0gtweet/status/1564968845726580736
- https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022-09-02
modified: 2023-03-14
tags:
- attack.command-and-control
- attack.defense-evasion
- attack.t1218
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cli:
CommandLine|contains|all:
- '-i'
- '-f'
condition: all of selection_*
falsepositives:
- Since the content of the files are unknown, false positives are expected
level: medium