{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/sunburst-associated-actors/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Conti","Wizard Spider","FIN6","SUNBURST associated actors"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AdFind","Active Directory","SolarWinds"],"_cs_severities":["medium"],"_cs_tags":["active-directory","reconnaissance","adfind","discovery"],"_cs_type":"advisory","_cs_vendors":["JoeWare","Microsoft","SolarWinds"],"content_html":"\u003cp\u003eThis detection focuses on identifying the execution of \u003ccode\u003eadfind.exe\u003c/code\u003e with specific command-line arguments often employed for reconnaissance activities within Active Directory environments. \u003ccode\u003eadfind.exe\u003c/code\u003e is a legitimate command-line tool for querying Active Directory, but it can be abused by threat actors to gather information about users, computers, and other objects within the domain. This behavior has been observed in connection with threat actors like Wizard Spider, FIN6, and groups associated with the SUNBURST supply chain attack. The detection specifically targets processes involving command-line arguments like \u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e-b\u003c/code\u003e, \u003ccode\u003eobjectcategory\u003c/code\u003e, \u003ccode\u003e-gcb\u003c/code\u003e, and \u003ccode\u003e-sc\u003c/code\u003e, which are commonly used to filter and search for specific objects in Active Directory. The tool is often used to enumerate domain controllers to map the environment before lateral movement or privilege escalation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised system within the target network.\u003c/li\u003e\n\u003cli\u003eAdFind.exe is deployed to the compromised host.\u003c/li\u003e\n\u003cli\u003eAdFind.exe is executed with specific command-line arguments to query Active Directory. The command includes parameters like \u003ccode\u003e-f\u003c/code\u003e or \u003ccode\u003e-b\u003c/code\u003e for filtering, and \u003ccode\u003eobjectcategory\u003c/code\u003e to search for specific objects.\u003c/li\u003e\n\u003cli\u003eThe tool is executed with arguments like \u003ccode\u003e-gcb\u003c/code\u003e to query the Global Catalog or \u003ccode\u003e-sc\u003c/code\u003e to specify the search scope.\u003c/li\u003e\n\u003cli\u003eAdFind.exe gathers information about domain controllers, users, groups, and other objects.\u003c/li\u003e\n\u003cli\u003eThe gathered information is parsed and analyzed by the attacker to identify potential targets and vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to plan lateral movement, privilege escalation, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the collected intelligence to identify key assets for data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of AdFind.exe for reconnaissance can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and data exfiltration. While the source doesn't specify the number of victims or targeted sectors, the tool's use by known threat actors like Wizard Spider and FIN6 suggests the potential for significant impact, including ransomware deployment, data theft, and business disruption. The SUNBURST example highlights the risk of supply chain compromises leading to widespread reconnaissance activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious AdFind.exe execution and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003eadfind.exe\u003c/code\u003e with command-line arguments like \u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e-b\u003c/code\u003e, \u003ccode\u003eobjectcategory\u003c/code\u003e, \u003ccode\u003e-gcb\u003c/code\u003e, and \u003ccode\u003e-sc\u003c/code\u003e (process field in the logs).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of AdFind.exe execution to determine the attacker's objectives and scope of compromise.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-adfind-recon/","summary":"This rule detects the execution of AdFind.exe with specific command-line arguments used for reconnaissance, often associated with threat actors like Wizard Spider, FIN6, and groups linked to SUNBURST, who use it to enumerate domain controllers.","title":"AdFind.exe Execution with Reconnaissance Arguments","url":"https://feed.craftedsignal.io/briefs/2024-01-adfind-recon/"}],"language":"en","title":"CraftedSignal Threat Feed - SUNBURST Associated Actors","version":"https://jsonfeed.org/version/1.1"}