Detect suspicious LDAP request from non-Windows application

Detects Commandlet names from well-known PowerShell exploitation frameworks

Detects Commandlet names from well-known PowerShell exploitation frameworks

Detects Commandlet names from well-known PowerShell exploitation frameworks

Detects default file names outputted by the BloodHound collection tool SharpHound

Detects AdFind execution with common flags seen used during attacks

Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Detects command line parameters used by Bloodhound and Sharphound hack tools

Detects nltest commands that can be used for information discovery

Detects nltest commands that can be used for information discovery

Detects execution of "dsquery.exe" for domain trust discovery

Detects potential Active Directory enumeration via LDAP

AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.