{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/actors/fin6/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["FIN6"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["adfind","active-directory","reconnaissance","windows"],"_cs_type":"threat","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAdFind is a command-line tool used to retrieve information from Active Directory. While it has legitimate uses for network administrators, threat actors frequently leverage it for post-exploitation Active Directory reconnaissance. The tool allows for quick scoping of AD person/computer objects and understanding subnets and domain information. AdFind has been observed in campaigns associated with various threat actors, including Trickbot, Ryuk, Maze, and FIN6. This reconnaissance activity is typically conducted after initial compromise to gather information for lateral movement and privilege escalation. The detection of AdFind execution, especially with specific command-line arguments, can indicate malicious activity within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers AdFind.exe to the compromised host.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes AdFind.exe from the command line or via a script.\u003c/li\u003e\n\u003cli\u003eDiscovery: AdFind is used to enumerate Active Directory objects such as computers (\u003ccode\u003eobjectcategory=computer\u003c/code\u003e), users (\u003ccode\u003eobjectcategory=person\u003c/code\u003e), subnets (\u003ccode\u003eobjectcategory=subnet\u003c/code\u003e), and groups (\u003ccode\u003eobjectcategory=group\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker gathers information about domain controllers using commands such as \u003ccode\u003edclist\u003c/code\u003e or \u003ccode\u003edcmodes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The gathered information is used to identify potential targets for privilege escalation, such as accounts with weak passwords or misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the gathered information to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance using AdFind can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data or deployment of ransomware. While the use of AdFind itself may not be directly damaging, it is a strong indicator of malicious activity within a compromised network. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AdFind Command Activity\u0026rdquo; to your SIEM to detect the execution of AdFind with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide the necessary data for the Sigma rule to function effectively (reference the Sysmon setup documentation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;AdFind Command Activity\u0026rdquo; Sigma rule to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for AdFind-related activity, focusing on command-line arguments used to query Active Directory objects (reference the \u003ccode\u003equery\u003c/code\u003e field in the original rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-adfind-reconnaissance/","summary":"The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.","title":"AdFind Tool Used for Active Directory Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-adfind-reconnaissance/"}],"language":"en","title":"CraftedSignal Threat Feed — FIN6","version":"https://jsonfeed.org/version/1.1"}