proc_creation_win_adfind_discovery.yml

title: AdFind Discovery
id: 50046619-1037-49d7-91aa-54fc92923604
status: stable
description: AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.
author: 'The DFIR Report'
date: 2022-05-14
modified: 2024-02-23
references:
    - https://thedfirreport.com/2020/05/08/adfind-recon/
    - https://thedfirreport.com/?s=adfind
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-gcb -sc trustdmp'
            - '-f "(objectcategory=group)"'
            - '-f (objectcategory=group)'
            - '-subnets -f (objectCategory=subnet)'
            - '-sc trustdmp'
            - '-f "(objectcategory=organizationalUnit)"'
            - '-f (objectcategory=organizationalUnit)'
            - '-f "objectcategory=computer"'
            - '-f objectcategory=computer'
            - '-f "(objectcategory=person)"'
            - '-f (objectcategory=person)'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for Active Directory querying.
level: medium
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1482
    - attack.t1069.002
    - attack.t1087.002
    - attack.s0552