Renamed AdFind Execution

 1title: Renamed AdFind Execution
 2id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
 3status: test
 4description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
 5references:
 6    - https://www.joeware.net/freetools/tools/adfind/
 7    - https://thedfirreport.com/2020/05/08/adfind-recon/
 8    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
 9    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
10    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
11    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
12author: Florian Roth (Nextron Systems)
13date: 2022-08-21
14modified: 2023-02-14
15tags:
16    - attack.discovery
17    - attack.t1018
18    - attack.t1087.002
19    - attack.t1482
20    - attack.t1069.002
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_1:
26        CommandLine|contains:
27            - 'domainlist'
28            - 'trustdmp'
29            - 'dcmodes'
30            - 'adinfo'
31            - ' dclist '
32            - 'computer_pwdnotreqd'
33            - 'objectcategory='
34            - '-subnets -f'
35            - 'name="Domain Admins"'
36            - '-sc u:'
37            - 'domainncs'
38            - 'dompol'
39            - ' oudmp '
40            - 'subnetdmp'
41            - 'gpodmp'
42            - 'fspdmp'
43            - 'users_noexpire'
44            - 'computers_active'
45            - 'computers_pwdnotreqd'
46    selection_2:
47        - Imphash:
48              - bca5675746d13a1f246e2da3c2217492
49              - 53e117a96057eaf19c41380d0e87f1c2
50        - Hashes|contains:
51              - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
52              - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
53    selection_3:
54        OriginalFileName: 'AdFind.exe'
55    filter:
56        Image|endswith: '\AdFind.exe'
57    condition: 1 of selection* and not filter
58falsepositives:
59    - Unknown
60level: high

References

•  AdFind AdFind Summary Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure. This...

  
  Read More

• AdFind Recon

  

  A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands They then l…

  
  Read More

• Trickbot Still Alive and Well

  

  In October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under concerted pressure applied by US Cyber Command infiltrating the botnet, and allege…

  
  Read More

• https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

  
  Read More

• AdFind command examples

  

  AdFind command examples Article 1/17/2024 AdFind created by Joe Richards . He is great Active Directory MVP and created more Free Tools here . Here is AdFind Usage and examples. Query the schema ve...

  
  Read More

• adversary_emulation_library/fin6/Emulation_Plan/Phase1.md at bf62ece1c679b07b5fb49c4bae947fe24c81811f · center-for-threat-informed-defense/adversary_emulation_library

  

  An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. - center-for-threat-informed-defense/adversary_emulation_library

  
  Read More

Related rules

• PUA - AdFind Suspicious Execution
• AdFind Discovery
• BloodHound Collection Files
• HackTool - Bloodhound/Sharphound Execution
• Malicious PowerShell Commandlets - PoshModule