PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

Detects active directory enumeration activity using known AdFind CLI flags

Sigma rule (View on GitHub)

 1title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
 2id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
 3related:
 4    - id: 9a132afa-654e-11eb-ae93-0242ac130002
 5      type: similar
 6status: test
 7description: Detects active directory enumeration activity using known AdFind CLI flags
 8references:
 9    - https://www.joeware.net/freetools/tools/adfind/
10    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
12author: frack113
13date: 2021-12-13
14modified: 2023-03-05
15tags:
16    - attack.discovery
17    - attack.t1087.002
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_password: # Listing password policy
23        CommandLine|contains:
24            - lockoutduration
25            - lockoutthreshold
26            - lockoutobservationwindow
27            - maxpwdage
28            - minpwdage
29            - minpwdlength
30            - pwdhistorylength
31            - pwdproperties
32    selection_enum_ad: # Enumerate Active Directory Admins
33        CommandLine|contains: '-sc admincountdmp'
34    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
35        CommandLine|contains: '-sc exchaddresses'
36    condition: 1 of selection_*
37falsepositives:
38    - Authorized administrative activity
39level: high

References

Related rules

to-top