{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/trickbot/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Trickbot","Ryuk","Maze","FIN6"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Active Directory"],"_cs_severities":["low"],"_cs_tags":["adfind","active-directory","reconnaissance","discovery","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAdFind is a command-line tool used to query and retrieve information from Active Directory (AD). While AdFind has legitimate uses for network administrators, threat actors frequently leverage it to perform post-exploitation Active Directory reconnaissance. This tool allows for the quick discovery and enumeration of AD objects, subnets, and domain information. AdFind has been observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6. Defenders should monitor for its execution with specific arguments indicative of reconnaissance activity. The rule focuses on identifying AdFind execution based on process name and command-line arguments related to object category enumeration and domain information gathering.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an exploit, compromised credentials, or other means (not described in source).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a foothold on a compromised system within the network.\u003c/li\u003e\n\u003cli\u003eAdFind.exe is deployed to the compromised host, either as a standalone executable or as part of a larger toolset.\u003c/li\u003e\n\u003cli\u003eThe attacker executes AdFind.exe with command-line arguments to enumerate Active Directory objects, such as computers (objectcategory=computer), users (objectcategory=person), or organizational units (objectcategory=organizationalunit).\u003c/li\u003e\n\u003cli\u003eThe attacker queries for domain information, including domain lists (domainlist), domain controller modes (dcmodes), and domain controller lists (dclist) using AdFind.\u003c/li\u003e\n\u003cli\u003eInformation gathered is used to map out the Active Directory structure and identify high-value targets.\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated based on the identified targets, using gathered credentials or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or other malicious activities within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance using AdFind allows attackers to map out the Active Directory environment, identify critical assets, and plan further attacks. This can lead to lateral movement, data theft, ransomware deployment, and significant disruption to business operations. While the tool itself is benign, its use in conjunction with specific parameters by malicious actors allows them to quickly identify critical resources such as privileged accounts and domain controllers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM to detect AdFind execution with reconnaissance-related arguments, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview process execution logs for instances of AdFind.exe and analyze command-line arguments to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules in conjunction with other security events on the affected host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-adfind-reconnaissance/","summary":"AdFind.exe, a legitimate Active Directory query tool, is commonly abused by threat actors such as Trickbot, Ryuk, Maze, and FIN6 for post-exploitation Active Directory reconnaissance, enabling enumeration of objects like computers, people, subnets, and domain information.","title":"AdFind Active Directory Reconnaissance Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-29-adfind-reconnaissance/"}],"language":"en","title":"CraftedSignal Threat Feed - Trickbot","version":"https://jsonfeed.org/version/1.1"}