Usage of Csvde for Active Directory Enumeration

Rule Info

Name
Usage of Csvde for Active Directory Enumeration
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of CSVDE utitlity for Active Directory objects discovery purposes. Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. Threat actors may use CSVDE to extract information from Active Directory, such as user accounts, groups, and organizational units.
Reference
https://redcanary.com/blog/threat-intelligence/msix-installers/
Date
2025-05-26 00:00:00
Modified
None
Id
764f0589-18eb-4ef2-83db-9fced90c64aa
Tags
attack.discovery attack.t1087.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022