PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

 1title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
 2id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
 3related:
 4    - id: 9a132afa-654e-11eb-ae93-0242ac130002
 5      type: similar
 6status: test
 7description: Detects active directory enumeration activity using known AdFind CLI flags
 8references:
 9    - https://www.joeware.net/freetools/tools/adfind/
10    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
12author: frack113
13date: 2021/12/13
14modified: 2023/03/05
15tags:
16    - attack.discovery
17    - attack.t1087.002
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_password: # Listing password policy
23        CommandLine|contains:
24            - lockoutduration
25            - lockoutthreshold
26            - lockoutobservationwindow
27            - maxpwdage
28            - minpwdage
29            - minpwdlength
30            - pwdhistorylength
31            - pwdproperties
32    selection_enum_ad: # Enumerate Active Directory Admins
33        CommandLine|contains: '-sc admincountdmp'
34    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
35        CommandLine|contains: '-sc exchaddresses'
36    condition: 1 of selection_*
37falsepositives:
38    - Authorized administrative activity
39level: high

References

•  AdFind AdFind Summary Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure. This...

  
  Read More

• AdFind command examples

  

  AdFind command examples Article 1/17/2024 AdFind created by Joe Richards . He is great Active Directory MVP and created more Free Tools here . Here is AdFind Usage and examples. Query the schema ve...

  
  Read More

• atomic-red-team/atomics/T1087.002/T1087.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• PUA - AdFind Suspicious Execution
• Potential Active Directory Reconnaissance/Enumeration Via LDAP
• AD Privileged Users or Groups Reconnaissance
• Domain User Enumeration Network Recon 01
• HackTool - Bloodhound/Sharphound Execution