AdFind Discovery
AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.
Sigma rule (View on GitHub)
1title: AdFind Discovery
2id: 50046619-1037-49d7-91aa-54fc92923604
3status: stable
4description: AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.
5author: 'The DFIR Report'
6date: 2022-05-14
7modified: 2024-02-23
8references:
9 - https://thedfirreport.com/2020/05/08/adfind-recon/
10 - https://thedfirreport.com/?s=adfind
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 CommandLine|contains:
17 - '-gcb -sc trustdmp'
18 - '-f "(objectcategory=group)"'
19 - '-f (objectcategory=group)'
20 - '-subnets -f (objectCategory=subnet)'
21 - '-sc trustdmp'
22 - '-f "(objectcategory=organizationalUnit)"'
23 - '-f (objectcategory=organizationalUnit)'
24 - '-f "objectcategory=computer"'
25 - '-f objectcategory=computer'
26 - '-f "(objectcategory=person)"'
27 - '-f (objectcategory=person)'
28 condition: selection
29falsepositives:
30 - Legitimate Administrator using tool for Active Directory querying.
31level: medium
32tags:
33 - attack.discovery
34 - attack.t1018
35 - attack.t1482
36 - attack.t1069.002
37 - attack.t1087.002
38 - attack.s0552
References
-
A threat actor logged into the RDP honeypot from 217[.]182[.]242[.]13 (OVH) with a hostname of WORK9F3B. Within 20 seconds they opened a command prompt and issued the following commands They then l…
Read More -
Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc...
Read More
Related rules
- Enumerating Domain Trust Relationships with Nltest.exe
- WMI Reconnaissance
- Domain User Enumeration Network Recon 01
- SocGholish NLTest Domain Trust Enumeration (RedCanary Threat Detection Report)
- Enumeration via the Global Catalog