Suspicious LDAP Domain AccessMay 23, 2023 · attack.discovery attack.t1482 ·
Detect suspicious LDAP request from non-Windows application
Malicious PowerShell Commandlets - PoshModule
Malicious PowerShell Commandlets - ProcessCreation
Malicious PowerShell Commandlets - ScriptBlock
BloodHound Collection FilesApr 11, 2023 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·
Detects default file names outputted by the BloodHound collection tool SharpHound
PUA - AdFind Suspicious ExecutionMar 5, 2023 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 ·
Detects AdFind execution with common flags seen used during attacks
HackTool - TruffleSnout ExecutionFeb 16, 2023 · attack.discovery attack.t1482 ·
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - SharpView ExecutionFeb 13, 2023 · attack.discovery attack.t1049 attack.t1069.002 attack.t1482 attack.t1135 attack.t1033 ·
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Renamed AdFind ExecutionFeb 13, 2023 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 ·
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
HackTool - Bloodhound/Sharphound ExecutionFeb 4, 2023 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·
Detects command line parameters used by Bloodhound and Sharphound hack tools
Potential Recon Activity Via Nltest.EXEFeb 4, 2023 · attack.discovery attack.t1016 attack.t1482 ·
Nltest.EXE ExecutionFeb 3, 2023 · attack.discovery attack.t1016 attack.t1018 attack.t1482 ·
Domain Trust Discovery Via DsqueryFeb 3, 2023 · attack.discovery attack.t1482 ·
Detects execution of "dsquery.exe" for domain trust discovery
Potential Active Directory Reconnaissance/Enumeration Via LDAPJan 30, 2023 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482 ·
Detects potential Active Directory enumeration via LDAP
AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.