The hypothesis is that an adversary is leveraging an uncommon tool to create ADSI-cache files to persist within the environment and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and disrupt advanced persistent threats.
Detection Rule
title: ADSI-Cache File Creation By Uncommon Tool
id: 75bf09fa-1dd7-4d18-9af9-dd9e492562eb
status: test
description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
references:
- https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
author: xknow @xknow_infosec, Tim Shelton
date: 2019-03-24
modified: 2023-10-18
tags:
- attack.t1001.003
- attack.command-and-control
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
TargetFilename|endswith: '.sch'
filter_main_generic:
- Image|endswith:
- ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
- ':\Windows\CCM\CcmExec.exe'
- ':\windows\system32\dllhost.exe'
- ':\Windows\system32\dsac.exe'
- ':\Windows\system32\efsui.exe'
- ':\windows\system32\mmc.exe'
- ':\windows\system32\svchost.exe'
- ':\Windows\System32\wbem\WmiPrvSE.exe'
- ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
- Image|contains:
- ':\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
- ':\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
filter_main_office:
Image|contains|all:
- ':\Program Files\'
- '\Microsoft Office'
Image|endswith: '\OUTLOOK.EXE'
filter_optional_ldapwhoami:
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
filter_optional_citrix:
# Example:
# TargetFilename=C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\SchCache\REDACTED.com.sch
Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc.
level: medium
imFileEvent
| where (TargetFileName contains "\\Local\\Microsoft\\Windows\\SchCache\\" and TargetFileName endswith ".sch") and (not((((TargetFilePath endswith ":\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe" or TargetFilePath endswith ":\\Windows\\CCM\\CcmExec.exe" or TargetFilePath endswith ":\\windows\\system32\\dllhost.exe" or TargetFilePath endswith ":\\Windows\\system32\\dsac.exe" or TargetFilePath endswith ":\\Windows\\system32\\efsui.exe" or TargetFilePath endswith ":\\windows\\system32\\mmc.exe" or TargetFilePath endswith ":\\windows\\system32\\svchost.exe" or TargetFilePath endswith ":\\Windows\\System32\\wbem\\WmiPrvSE.exe" or TargetFilePath endswith ":\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe") or (TargetFilePath contains ":\\Windows\\ccmsetup\\autoupgrade\\ccmsetup" or TargetFilePath contains ":\\Program Files\\SentinelOne\\Sentinel Agent")) or ((TargetFilePath contains ":\\Program Files\\" and TargetFilePath contains "\\Microsoft Office") and TargetFilePath endswith "\\OUTLOOK.EXE")))) and (not((TargetFilePath endswith "\\LANDesk\\LDCLient\\ldapwhoami.exe" or TargetFilePath endswith ":\\Program Files\\Citrix\\Receiver StoreFront\\Services\\DefaultDomainServices\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe")))Scenario: Scheduled Job Using PowerShell to Generate Temporary Files
Description: A scheduled task runs a PowerShell script that creates temporary files in the ADSI-Cache directory as part of a routine maintenance or data processing job.
Filter/Exclusion: Check for ProcessName = "powershell.exe" and CommandLine containing "New-TemporaryFile" or "New-Item" with a known temporary file pattern.
Scenario: System Update or Patching Tool Creating Cache Files
Description: A system update tool (e.g., Windows Update, SCCM, or third-party patching software) creates cache files in the ADSI-Cache directory during an update process.
Filter/Exclusion: Check for ProcessName matching the update tool (e.g., wusa.exe, ccmexec.exe) or use a ParentProcessName filter to identify known update services.
Scenario: Admin Task Using a Scripting Tool to Generate Logs
Description: An administrator uses a scripting tool (e.g., Python, Bash, or a custom script) to generate log files or cache files in the ADSI-Cache directory for troubleshooting or diagnostics.
Filter/Exclusion: Filter by ProcessName matching the scripting tool (e.g., python.exe, bash.exe) or use a User filter to identify admin accounts performing the task.
Scenario: Antivirus or Endpoint Protection Software Creating Temporary Files
Description: Antivirus or endpoint protection software (e.g., Microsoft Defender, CrowdStrike, or Bitdefender) creates temporary files in the ADSI-Cache directory during a scan or quarantine process.
Filter/Exclusion: Check for ProcessName matching the antivirus tool (e.g., MsMpEng.exe, Csrss.exe) or use a ParentProcessName filter to identify known security