Threat ID: TL-2026-0113 | Severity: HIGH | Status: ACTIVE
Actors: FIN7 (Carbanak), APT10/menuPass (Stone Panda) | Motivation: Espionage, Financial Crime
MITRE Techniques: 17 | Detections: 9 | Category: THREAT_INTEL
CSVDE ships with every Windows Server. Most defenders have never heard of it. APT10 has.
CSVDE.exe is a command-line utility baked into every Windows Server installation carrying the AD DS role. It exports Active Directory objects to CSV format via LDAP — and both FIN7 and APT10/menuPass have weaponized it as a Living-off-the-Land Binary for bulk directory reconnaissance. One command. The entire AD structure. Users, groups, service accounts, OUs, computer objects — all dumped to a flat file.
No malware needed. Below: the mechanics of CSVDE.exe abuse, documented APT usage, the kerberoasting precursor chain, and production-ready detection queries in SPL, KQL, and Sigma.
SigmaHQ detection rule for 'Active Directory Structure Export Via Csvde.EXE' — community-contributed SIEM detection logic with process creation monitoring.
Executive Summary
- What: CSVDE.exe (
%windir%\system32\csvde.exe) is a legitimate Microsoft-signed Windows Server utility weaponized as a LOLBIN for bulk Active Directory reconnaissance and data export via LDAP - Who: FIN7 (financial crime, US automotive/retail/hospitality) and APT10/menuPass (China-nexus espionage, Operation Cloud Hopper targeting MSPs) — both documented by MITRE ATT&CK
- Impact: Complete Active Directory structure extraction in a single command — user accounts, group memberships, service principal names (SPNs), and computer objects — enabling kerberoasting, privilege escalation, and lateral movement
- Status: Ongoing technique with no patch available — CSVDE.exe is a legitimate tool, not a vulnerability
- Detection: 9 production-ready detections available on Threadlinqs Intelligence covering SPL, KQL, and Sigma
Timeline
| Date | Event |
|---|---|
| 2003 | Microsoft introduces csvde.exe with Windows Server 2003 as part of AD DS tools |
| 2016 | APT10/menuPass launches Operation Cloud Hopper; csvde.exe used for AD recon after MSP pivot |
| 2017-04 | PwC UK publishes Cloud Hopper Technical Annex documenting APT10 csvde.exe usage |
| 2024-04 | BlackBerry reports FIN7 targeting US automotive industry using csvde.exe with PowerShell scripts |
| 2024-06 | MITRE ATT&CK T1087.002 formally documents csvde.exe usage by FIN7 and menuPass |
| 2024-12 | CSVDE.exe recognized in the broader AD LOLBIN ecosystem alongside dsquery, ldifde, and nltest |
| Ongoing | CSVDE.exe abuse persists as a technique — no patch exists for a legitimate tool |
Technical Analysis
CSVDE.exe resides in %windir%\system32 on Windows Server systems with the AD DS or AD LDS role installed. The utility performs direct LDAP queries against domain controllers and outputs results in comma-separated format. Unlike GUI tools such as Active Directory Users and Computers, CSVDE exposes every queryable LDAP attribute, including those not visible through standard administrative interfaces.
The tool's offensive value lies in its flags. The -f flag specifies the output file. The -r flag accepts LDAP filter syntax for targeted queries. The -l flag selects specific attributes. The -s flag targets remote domain controllers, and -p SubTree sets the full directory scope.
The Kerberoasting Precursor Chain
CSVDE.exe is particularly dangerous as a kerberoasting precursor. An attacker can enumerate all service accounts with registered SPNs using a targeted LDAP filter:
csvde -r "(servicePrincipalName=)" -l "sAMAccountName,servicePrincipalName,distinguishedName" -f spn_accounts.csvT1558.003). Living off the land. Hiding in plain sight. The attacker then requests Kerberos service tickets for those SPNs and cracks them offline to recover service account passwords. Domain Admins, SQL service accounts, and Exchange service accounts are common high-value targets.
What caught our attention was the low barrier here: any domain-authenticated user can run this command. No elevated privileges required. The operator already has everything they need after the initial foothold.
Why CSVDE.exe Evades Detection
The tool's effectiveness as a LOLBIN stems from five properties:- Microsoft-signed binary — Ships with Windows Server, signed by Microsoft. Default AV and EDR policies do not flag it.
- Legitimate administrative use — AD administrators use CSVDE for provisioning, migrations, and auditing. Distinguishing malicious from legitimate execution requires behavioral context.
- No external download — Already present on target systems. No need to transfer tools that might trigger network-based detections.
- Complete output — A single
csvde -f output.csvcommand exports the entire directory. - Parseable format — CSV output feeds directly into automated attack pipelines for target selection.
Attack Chain
- Initial Access — Spear-phishing (FIN7 automotive campaign), VPN compromise, or MSP pivot (APT10 Cloud Hopper)
- Credential Access — Stolen credentials or Kerberos ticket abuse provide domain-joined context
- Discovery —
csvde.exe -f output.csvdumps the full AD structure;-rfilters target specific object classes - Data Staging — CSV output staged locally (
T1074.001) for parsing and target selection - Lateral Movement — Discovered accounts, groups, and trust relationships enable hopping boxes via SMB (
T1021.002) - Objective — Pulling data out (APT10), financial fraud (FIN7), or ransomware staging
LOLBAS Project — the community catalog of living-off-the-land binaries, scripts, and libraries abused by threat actors including CSVDE.exe for AD data export.
Threat Actor Profile
FIN7 (Carbanak / Carbon Spider / ELBRUS)
FIN7 is a financially motivated threat group active since at least 2013. In April 2024, BlackBerry documented a campaign targeting the US automotive industry where FIN7 used csvde.exe alongside 3CF9.ps1 PowerShell scripts and the WsTaskLoad executable for Active Directory enumeration. MITRE ATT&CK T1087.002 formally attributes csvde.exe usage to FIN7: "FIN7 has also used csvde.exe, which is a built-in Windows command line tool, to export Active Directory information."
FIN7 primarily targets the US retail, hospitality, financial, and automotive sectors. The group has historically used sophisticated spear-phishing with malicious documents, point-of-sale malware, and Carbanak/Cobalt Strike backdoors.
APT10 / menuPass (Stone Panda / Red Apollo / CVNX)
APT10 is a China-nexus espionage group responsible for Operation Cloud Hopper (2016-2017), a large-scale campaign targeting managed IT service providers (MSPs) globally. PwC UK's Cloud Hopper Technical Annex (April 2017) specifically documents APT10's use of csvde.exe for Active Directory data export after gaining access through compromised MSPs. The BAE Systems analysis confirmed the MSP supply-chain methodology.
APT10 used MSP access to pivot into customer networks across the pharmaceutical, engineering, automotive, and government sectors. A LOLBin-heavy approach — csvde.exe provided the AD reconnaissance foundation for identifying high-value targets within each compromised customer environment. From a detection engineering perspective, the Cloud Hopper intrusions showed that MSP-to-customer pivots make CSVDE execution even harder to spot: the tool runs on servers where AD administration is expected.
Detection
Catching CSVDE.exe abuse takes a layered approach: process creation monitoring, LDAP query volume analysis, and first-time execution anomaly detection. Legitimate use is rare. When we ran these queries against production data, the false positive rate was near zero — most AD admins have moved to PowerShell cmdlets or ADUC years ago.
Threadlinqs Intelligence tracks 9 production-ready detection rules for this threat across SPL, KQL, and Sigma.
Splunk SPL
Watch for csvde.exe process creation with the export flag (-f) — that flag means AD data is being staged to disk.
SPLindex= sourcetype IN ("xmlwineventlog", "WinEventLog:Sysmon/Operational")
(EventCode=1 OR EventCode=4688)
(process_name="csvde.exe" OR OriginalFileName="csvde.exe" OR CommandLine="csvde")
| eval has_export_flag=if(like(CommandLine, "%-f %"), "yes", "no")
| eval has_ldap_filter=if(like(CommandLine, "%-r %"), "yes", "no")
| eval has_remote_dc=if(like(CommandLine, "%-s %"), "yes", "no")
| stats count values(CommandLine) as commands values(ParentImage) as parent_process
values(User) as users by dest, has_export_flag, has_ldap_filter, has_remote_dc
| where count > 0
The AD LOLBIN chain is noisy when you know what to look for. Two or more recon tools from the same host within an hour — csvde plus dsquery, nltest, or AdFind — is a strong signal of systematic reconnaissance.
SPLindex= sourcetype IN ("xmlwineventlog", "WinEventLog:Sysmon/Operational")
EventCode=1
(process_name IN ("csvde.exe","dsquery.exe","dsget.exe","ldifde.exe","nltest.exe","AdFind.exe"))
| bucket _time span=1h
| stats dc(process_name) as unique_tools values(process_name) as tools_used by dest, _time
| where unique_tools >= 2
Microsoft KQL
First-time csvde.exe execution on a host is a strong post-exploitation indicator. Most servers go their entire lifecycle without running this binary.KQLlet baseline = DeviceProcessEvents
| where Timestamp > ago(30d) and Timestamp < ago(1d)
| where FileName =~ "csvde.exe"
| distinct DeviceName;
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName =~ "csvde.exe"
| where DeviceName !in (baseline)
| project Timestamp, DeviceName, ProcessCommandLine, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine
CSV file creation within five minutes of csvde.exe execution means AD data has been staged locally — the attacker is building a target list.
KQLlet csvde_exec = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "csvde.exe"
| project csvde_time = Timestamp, DeviceName;
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".csv"
| join kind=inner (csvde_exec) on DeviceName
| where Timestamp between (csvde_time .. (csvde_time + 5m))
| project Timestamp, DeviceName, FileName, FolderPath, FileSize
Sigma
Targeted LDAP export flags —-r with a filter, -l selecting specific attributes — separate deliberate AD extraction from casual usage. This Sigma rule keys on that distinction.
SIGMAtitle: CSVDE.exe Targeted AD Export with LDAP Filter
id: c7a3f1e2-9b45-4d8a-a6e1-3f2c8d7b9e04
status: experimental
description: |
Detects csvde.exe execution with export and LDAP filter flags indicating
targeted Active Directory data extraction. SPN enumeration via
-r servicePrincipalName is a kerberoasting precursor. Used by FIN7 and
APT10/menuPass for AD reconnaissance.
references:
- https://intel.threadlinqs.com/#TL-2026-0113
- https://attack.mitre.org/techniques/T1087/002/
- https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
- attack.discovery
- attack.t1087.002
- attack.credential_access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csvde.exe'
- OriginalFileName: 'csvde.exe'
selection_export:
CommandLine|contains:
- ' -f '
selection_filter:
CommandLine|contains:
- ' -r '
- ' -l '
- ' -p '
- ' -s '
filter_import:
CommandLine|contains: ' -i'
condition: selection_img and selection_export and selection_filter and not filter_import
falsepositives:
- Planned AD migration with specific LDAP filters
- AD audit scripts using csvde for scheduled exports
level: high
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
PwC and BAE Systems 'Operation Cloud Hopper' technical annex detailing APT10's systematic use of native Windows tools for Active Directory enumeration.
Indicators of Compromise
CSVDE.exe is a legitimate Microsoft binary. There are no traditional network or file hash IOCs. Detection relies entirely on behavioral indicators.Behavioral Indicators
| Indicator | Context |
|---|---|
csvde.exe process creation | Any execution outside planned AD administration is suspicious |
-f flag in command line | File export — AD data being staged locally |
-r (servicePrincipalName=) | SPN enumeration — kerberoasting precursor |
-r (objectClass=User) | Bulk user account enumeration |
-p SubTree scope flag | Full directory scope — complete dump |
-s flag with remote DC | Targeting specific domain controller |
| Large CSV file creation after csvde.exe | Staged AD data ready for exfiltration |
| Multiple AD LOLBINs within 1 hour | csvde + dsquery + nltest = systematic reconnaissance |
| csvde.exe from non-DC host | Domain controllers are expected sources; workstations are not |
| First-time csvde.exe on a host | Anomaly — most servers never execute this tool |
LOLBIN Ecosystem Context
| Tool | Binary | Typical Abuse |
|---|---|---|
| CSVDE | csvde.exe | Bulk AD export to CSV (FIN7, APT10) |
| LDIFDE | ldifde.exe | Bulk AD export to LDIF format |
| DSQuery | dsquery.exe | Targeted LDAP queries (APT41, Ke3chang) |
| DSGet | dsget.exe | AD object attribute retrieval |
| NLTest | nltest.exe | Domain trust enumeration |
| AdFind | AdFind.exe | Third-party AD query (Ryuk, FIN6, BlackByte) |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Context |
|---|---|---|---|
| Discovery | Account Discovery: Domain Account | T1087.002 | Bulk user/group/computer enumeration via csvde.exe LDAP export |
| Discovery | Permission Groups Discovery: Domain Groups | T1069.002 | Group membership extraction for privilege mapping |
| Discovery | Remote System Discovery | T1018 | Computer object enumeration from AD |
| Discovery | Domain Trust Discovery | T1482 | Trust relationship mapping across domains |
| Discovery | System Network Configuration Discovery | T1016 | Network topology from AD site/subnet objects |
| Discovery | System Owner/User Discovery | T1033 | Account ownership and attribution data |
| Discovery | Account Discovery: Local Account | T1087.001 | Local account enumeration on compromised hosts |
| Defense Evasion | System Binary Proxy Execution | T1218 | Microsoft-signed binary evades application controls |
| Defense Evasion | Masquerading: Rename System Utilities | T1036.003 | Renamed csvde.exe to evade filename-based detection |
| Collection | Data from Information Repositories | T1213 | AD as an information repository for bulk extraction |
| Collection | Data Staged: Local Data Staging | T1074.001 | CSV output staged locally before exfiltration |
| Credential Access | Kerberoasting | T1558.003 | SPN enumeration as kerberoasting precursor |
| Credential Access | AS-REP Roasting | T1558.004 | User enumeration identifies accounts without pre-auth |
| Credential Access | Password Spraying | T1110.003 | Harvested usernames feed spray attacks |
| Execution | Windows Command Shell | T1059.003 | csvde.exe invoked via cmd.exe |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Staged CSV exfiltrated over existing C2 |
| Lateral Movement | SMB/Windows Admin Shares | T1021.002 | Discovered accounts enable targeted SMB pivoting |
Full MITRE ATT&CK mapping: View coverage on Threadlinqs
TL-2026-0113 on Threadlinqs Intelligence — CSVDE.exe LOLBIN for Active Directory reconnaissance used by FIN7 and APT10 with 9/9 detection coverage and 24 shared IOCs.
Recommendations
- Deploy process creation monitoring for csvde.exe — any execution with the
-fflag should generate a HIGH alert in environments where AD administrators do not use this tool - Implement application control via Windows Defender Application Control (WDAC) or AppLocker to restrict csvde.exe execution to authorized administrative accounts
- Enable LDAP query auditing on domain controllers (Event ID 1644) to detect bulk directory queries regardless of the tool used
- Establish a LOLBIN baseline for csvde.exe, dsquery.exe, dsget.exe, ldifde.exe, and nltest.exe — alert on first-time use or execution by non-administrative accounts
- Adopt tiered administration — Tier 0 (DC admin), Tier 1 (server admin), Tier 2 (workstation admin) — to limit the value an attacker gains from AD reconnaissance
References
- MITRE ATT&CK T1087.002 — Account Discovery: Domain Account — MITRE, 2024
- FIN7 Targets the United States Automotive Industry — BlackBerry, April 2024
- Operation Cloud Hopper Technical Annex — PwC UK, April 2017
- Operation Cloud Hopper — APT10 — BAE Systems, 2017
- Microsoft Csvde Command Reference) — Microsoft
- LOLBAS Project — Living Off The Land Binaries and Scripts — LOLBAS Project
- MITRE ATT&CK T1069.002 — Permission Groups Discovery: Domain Groups — MITRE
- Active Directory Structure Export Via Csvde.EXE — Sigma Rule — SigmaHQ
Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0113.