---
Name: Ldifde.exe
Description: Creates, modifies, and deletes LDAP directory objects.
Author: 'Grzegorz Tworek'
Created: 2022-08-31
Commands:
  - Command: Ldifde -i -f inputfile.ldf
    Description: Import inputfile.ldf into LDAP. If the file contains http-based attrval-spec such as thumbnailPhoto:< http://example.org/somefile.txt, the file will be downloaded into IE temp folder.
    Usecase: Download file from Internet
    Category: Download
    Privileges: Administrator
    MitreID: T1105
    OperatingSystem: Windows Server with AD Domain Services role,  Windows 10 with AD LDS role.
Full_Path:
  - Path: c:\windows\system32\ldifde.exe
  - Path: c:\windows\syswow64\ldifde.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_export.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/3d172914f6c2bd5c2b5ed471bf0657a662d395af/rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml
Resources:
  - Link: https://twitter.com/0gtweet/status/1564968845726580736
Acknowledgement:
  - Person: Grzegorz Tworek
    Handle: '@0gtweet'