Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
Find information about network devices that is not stored in config files
Detects nltest commands that can be used for information discovery
Detects AdFind execution with common flags seen used during attacks
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Detects certain command line parameters often used during reconnaissance activity via web shells
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Detects the enumeration of other remote systems.
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Enumerates Active Directory to determine computers that are joined to the domain
AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.