PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
Sigma rule (View on GitHub)
1title: PUA - AdFind Suspicious Execution
2id: 9a132afa-654e-11eb-ae93-0242ac130002
3related:
4 - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
5 type: similar
6 - id: 75df3b17-8bcc-4565-b89b-c9898acef911
7 type: obsoletes
8status: test
9description: Detects AdFind execution with common flags seen used during attacks
10references:
11 - https://www.joeware.net/freetools/tools/adfind/
12 - https://thedfirreport.com/2020/05/08/adfind-recon/
13 - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
14 - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
15 - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
16 - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
17 - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
18author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
19date: 2021/02/02
20modified: 2023/03/05
21tags:
22 - attack.discovery
23 - attack.t1018
24 - attack.t1087.002
25 - attack.t1482
26 - attack.t1069.002
27 - stp.1u
28logsource:
29 category: process_creation
30 product: windows
31detection:
32 selection:
33 CommandLine|contains:
34 - 'domainlist'
35 - 'trustdmp'
36 - 'dcmodes'
37 - 'adinfo'
38 - ' dclist '
39 - 'computer_pwdnotreqd'
40 - 'objectcategory='
41 - '-subnets -f'
42 - 'name="Domain Admins"'
43 - '-sc u:'
44 - 'domainncs'
45 - 'dompol'
46 - ' oudmp '
47 - 'subnetdmp'
48 - 'gpodmp'
49 - 'fspdmp'
50 - 'users_noexpire'
51 - 'computers_active'
52 - 'computers_pwdnotreqd'
53 condition: selection
54falsepositives:
55 - Legitimate admin activity
56level: high
References
-
AdFind AdFind Summary Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure. This...
Read More -
A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands They … Read More
Read More -
The Trickbot threat actors used Cobalt Strike to pivot through-out the domain, dumping lsass and ntds.dit as they went. They used tools such as AdFind, Nltest, Net, Bloodhound, and PowerView to peruse the domain, looking for high privileged credentials to accomplish their mission. They used PowerShell, SMB, and WMI to move laterally.
Read More -
AdFind command examples Article 1/17/2024 AdFind created by Joe Richards . He is great Active Directory MVP and created more Free Tools here . Here is AdFind Usage and examples. Query the schema ve...
Read More -
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. - center-for-threat-informed-defense/adversary_emulation_library
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Renamed AdFind Execution
- Potential Active Directory Reconnaissance/Enumeration Via LDAP
- HackTool - Bloodhound/Sharphound Execution
- Active Directory Computers Enumeration With Get-AdComputer
- Reconnaissance Activity