Detects nltest commands that can be used for information discovery
Detects AdFind execution with common flags seen used during attacks
Detects potential Active Directory enumeration via LDAP
Detects default file names outputted by the BloodHound collection tool SharpHound
Detects command line parameters used by Bloodhound and Sharphound hack tools
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Detects DNS server discovery via LDAP query requests from uncommon applications
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detects domain trust enumeration with nltest.exe, a procedure associated with SocGholish. Part of the RedCanary 2023 Threat Detection Report.
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
Detects execution of "dsquery.exe" for domain trust discovery
AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.