Detection rules › Sigma
ADSI-Cache File Creation By Uncommon Tool
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1001.003 Data Obfuscation: Protocol or Service Impersonation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
TargetFilename|endswith: .sch
TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\'
Stage 2: not 1 of filter_main_*
or:
Image|endswith: '\OUTLOOK.EXE'
Image|contains: ':\Program Files\'
Image|contains: '\Microsoft Office'
Image|endswith: ':\Program Files\Cylance\Desktop\CylanceSvc.exe'
Image|endswith: ':\Windows\CCM\CcmExec.exe'
Image|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
Image|endswith: ':\Windows\system32\dsac.exe'
Image|endswith: ':\Windows\system32\efsui.exe'
Image|endswith: ':\windows\system32\WindowsPowerShell\v1.0\powershell.exe'
Image|endswith: ':\windows\system32\dllhost.exe'
Image|endswith: ':\windows\system32\mmc.exe'
Image|endswith: ':\windows\system32\svchost.exe'
Image|contains: ':\Program Files\SentinelOne\Sentinel Agent'
Image|contains: ':\Windows\ccmsetup\autoupgrade\ccmsetup'
Stage 3: not 1 of filter_optional_*
or:
Image|endswith: ':\Program Files\Citrix\Receiver StoreFront\Services\DefaultDomainServices\Citrix.DeliveryServices.DomainServices.ServiceHost.exe'
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
Image | match |
|
TargetFilename | ends_with |
|
TargetFilename | match |
|