Skip to content
Threat Feed
low threat

AdFind Active Directory Reconnaissance Activity

AdFind.exe, a legitimate Active Directory query tool, is commonly abused by threat actors such as Trickbot, Ryuk, Maze, and FIN6 for post-exploitation Active Directory reconnaissance, enabling enumeration of objects like computers, people, subnets, and domain information.

AdFind is a command-line tool used to query and retrieve information from Active Directory (AD). While AdFind has legitimate uses for network administrators, threat actors frequently leverage it to perform post-exploitation Active Directory reconnaissance. This tool allows for the quick discovery and enumeration of AD objects, subnets, and domain information. AdFind has been observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6. Defenders should monitor for its execution with specific arguments indicative of reconnaissance activity. The rule focuses on identifying AdFind execution based on process name and command-line arguments related to object category enumeration and domain information gathering.

Attack Chain

  1. Initial access is achieved through an exploit, compromised credentials, or other means (not described in source).
  2. The attacker establishes a foothold on a compromised system within the network.
  3. AdFind.exe is deployed to the compromised host, either as a standalone executable or as part of a larger toolset.
  4. The attacker executes AdFind.exe with command-line arguments to enumerate Active Directory objects, such as computers (objectcategory=computer), users (objectcategory=person), or organizational units (objectcategory=organizationalunit).
  5. The attacker queries for domain information, including domain lists (domainlist), domain controller modes (dcmodes), and domain controller lists (dclist) using AdFind.
  6. Information gathered is used to map out the Active Directory structure and identify high-value targets.
  7. Lateral movement is initiated based on the identified targets, using gathered credentials or exploiting vulnerabilities.
  8. The final objective could be data exfiltration, ransomware deployment, or other malicious activities within the compromised environment.

Impact

Successful reconnaissance using AdFind allows attackers to map out the Active Directory environment, identify critical assets, and plan further attacks. This can lead to lateral movement, data theft, ransomware deployment, and significant disruption to business operations. While the tool itself is benign, its use in conjunction with specific parameters by malicious actors allows them to quickly identify critical resources such as privileged accounts and domain controllers.

Recommendation

  • Deploy the Sigma rules provided to your SIEM to detect AdFind execution with reconnaissance-related arguments, and tune for your environment.
  • Enable Sysmon process creation logging to capture the necessary process execution data for the provided Sigma rules.
  • Review process execution logs for instances of AdFind.exe and analyze command-line arguments to identify potentially malicious activity.
  • Investigate any alerts triggered by the Sigma rules in conjunction with other security events on the affected host.

Detection coverage 3

AdFind Computer Enumeration

low

Detects AdFind execution with arguments to enumerate computer objects.

sigma tactics: discovery techniques: T1018, T1087.002 sources: process_creation, windows

AdFind Domain Information Discovery

low

Detects AdFind execution with arguments to enumerate domain information.

sigma tactics: discovery techniques: T1016, T1482 sources: process_creation, windows

AdFind Group Enumeration

low

Detects AdFind execution with arguments to enumerate Active Directory groups.

sigma tactics: discovery techniques: T1069.002, T1087.002 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →