AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.
Detects default file names outputted by the BloodHound collection tool SharpHound
Detects Commandlet names from well-known PowerShell exploitation frameworks
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detects AdFind execution with common flags seen used during attacks
Detects potential Active Directory enumeration via LDAP
Detects command line parameters used by Bloodhound and Sharphound hack tools
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
Detects activity as "net user administrator /domain" and "net group domain admins /domain"