AdFind Command Activity
editAdFind Command Activity
editThis rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- http://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
- https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
- https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Discovery
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Investigation guide
editAdFind.exe is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.
Rule query
editprocess where event.type in ("start", "process_started") and
(process.name : "AdFind.exe" or process.pe.original_file_name ==
"AdFind.exe") and process.args : ("objectcategory=computer",
"(objectcategory=computer)",
"objectcategory=person", "(objectcategory=person)",
"objectcategory=subnet", "(objectcategory=subnet)",
"objectcategory=group", "(objectcategory=group)",
"objectcategory=organizationalunit",
"(objectcategory=organizationalunit)",
"objectcategory=attributeschema", "(objectcategory=attributeschema)",
"domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd",
"trustdmp")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Permission Groups Discovery
- ID: T1069
- Reference URL: https://attack.mitre.org/techniques/T1069/
Rule version history
edit- Version 2 (7.11.2 release)
-
- Formatting only