ldifde

- Table of Contents

Open all sections | Close all sections


- Tool Overview

Category
Information Collection
Description
Outputs account information on the Active Directory in LDIF format.
Example of Presumed Tool Use During an Attack
This tool is used to collect information on the Active Directory and select users and hosts that can be attack targets.

- Tool Operation Overview

Item Description
OS Windows Server
Belonging to Domain Not required
Rights Standard user
Communication Protocol 389/tcp
Service Active Directory Domain Services

- Information Acquired from Log

Standard Settings
  • Host
    • Execution history (Prefetch)
Additional Settings
  • Host
    • An LDIF file containing account information is created (audit policy, Sysmon, USN Journal)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Domain Controller

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • Image: Path to the executable file (path to the tool)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • CommandLine: Command line of the execution command (Path to the tool. The "-f" option identifies the output file name. In addition, if a filter was used, filter conditions can also be identified.)
  • User: Execute as user
2 Security 4663 File System An attempt was made to access an object.
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)

USN journal

# File Name Process
1 [LDIF file specified by the "-f" option at tool execution] FILE_CREATE

- Details: Domain Controller

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • Image: Path to the executable file (path to the tool)
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • CommandLine: Command line of the execution command (Path to the tool. The "-f" option identifies the output file name. In addition, if a filter was used, filter conditions can also be identified.)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the tool)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Port: Source port number (389)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Direction: Communication direction (outbound)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (path to the tool)
3 Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Source Port: Source port number (389)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Direction: Communication direction (inbound)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetImage: Path to the access destination process (path to the tool)
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • SourceImage: Path to the access source process (C:\Windows\system32\lsass.exe)
  • GrantedAccess: Details of the granted access (0x1478)
4 Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)
  • Process Information > Process Name: Name of the process that closed the handle
  • Object > Object Type: Type of the file (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Audit Success: Success or failure (access successful)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (an LDIF file specified by the "-f" option at tool execution)
  • Access Request Information > Access: Requested privileges (WriteData or AddFile, AppendData)
  • Process Information > Process Name: Name of the process that closed the handle (path to the tool)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (path to the tool)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with the immediately prior Event ID: 4656)
Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (path to the tool)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (an LDIF file specified by the "-f" option at tool execution)
  • CreationUtcTime: File creation date and time (UTC)
5 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Process Information > Process Name: Path to the executable file (path to the tool)
Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the tool)

- USN Journal

# File Name Process Attribute
1 [LDIF file specified by the "-f" option at tool execution] FILE_CREATE archive
[LDIF file specified by the "-f" option at tool execution] DATA_EXTEND+FILE_CREATE archive
[LDIF file specified by the "-f" option at tool execution] CLOSE+DATA_EXTEND+FILE_CREATE archive

- MFT

# Path Header Flag Validity
1 [LDIF file specified by the "-f" option at tool execution] FILE ALLOCATED

- Remarks