EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Active Directory Structure Export Via Csvde.EXE

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

MITRE ATT&CK

T1087.002
exfiltrationdiscovery

Detection Query

selection_img:
  - Image|endswith: \csvde.exe
  - OriginalFileName: csvde.exe
selection_remote:
  CommandLine|contains: " -f"
filter_import:
  CommandLine|contains: " -i"
condition: all of selection_* and not 1 of filter_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-03-14

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.exfiltrationattack.discoveryattack.t1087.002
Raw Content
title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: test
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
    - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
    - https://redcanary.com/blog/msix-installers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
    - attack.exfiltration
    - attack.discovery
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csvde.exe'
        - OriginalFileName: 'csvde.exe'
    selection_remote:
        CommandLine|contains: ' -f'
    filter_import:
        CommandLine|contains: ' -i'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium