<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>AdFind - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/adfind/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/adfind/feed.xml" rel="self" type="application/rss+xml"/><item><title>AdFind.exe Execution with Reconnaissance Arguments</title><link>https://feed.craftedsignal.io/briefs/2024-01-adfind-recon/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-adfind-recon/</guid><description>This rule detects the execution of AdFind.exe with specific command-line arguments used for reconnaissance, often associated with threat actors like Wizard Spider, FIN6, and groups linked to SUNBURST, who use it to enumerate domain controllers.</description><content:encoded><![CDATA[<p>This detection focuses on identifying the execution of <code>adfind.exe</code> with specific command-line arguments often employed for reconnaissance activities within Active Directory environments. <code>adfind.exe</code> is a legitimate command-line tool for querying Active Directory, but it can be abused by threat actors to gather information about users, computers, and other objects within the domain. This behavior has been observed in connection with threat actors like Wizard Spider, FIN6, and groups associated with the SUNBURST supply chain attack. The detection specifically targets processes involving command-line arguments like <code>-f</code>, <code>-b</code>, <code>objectcategory</code>, <code>-gcb</code>, and <code>-sc</code>, which are commonly used to filter and search for specific objects in Active Directory. The tool is often used to enumerate domain controllers to map the environment before lateral movement or privilege escalation.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a compromised system within the target network.</li>
<li>AdFind.exe is deployed to the compromised host.</li>
<li>AdFind.exe is executed with specific command-line arguments to query Active Directory. The command includes parameters like <code>-f</code> or <code>-b</code> for filtering, and <code>objectcategory</code> to search for specific objects.</li>
<li>The tool is executed with arguments like <code>-gcb</code> to query the Global Catalog or <code>-sc</code> to specify the search scope.</li>
<li>AdFind.exe gathers information about domain controllers, users, groups, and other objects.</li>
<li>The gathered information is parsed and analyzed by the attacker to identify potential targets and vulnerabilities.</li>
<li>The attacker uses the gathered information to plan lateral movement, privilege escalation, or other malicious activities.</li>
<li>The attacker leverages the collected intelligence to identify key assets for data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful execution of AdFind.exe for reconnaissance can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and data exfiltration. While the source doesn't specify the number of victims or targeted sectors, the tool's use by known threat actors like Wizard Spider and FIN6 suggests the potential for significant impact, including ransomware deployment, data theft, and business disruption. The SUNBURST example highlights the risk of supply chain compromises leading to widespread reconnaissance activities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM to detect suspicious AdFind.exe execution and tune for your environment.</li>
<li>Monitor process execution logs for instances of <code>adfind.exe</code> with command-line arguments like <code>-f</code>, <code>-b</code>, <code>objectcategory</code>, <code>-gcb</code>, and <code>-sc</code> (process field in the logs).</li>
<li>Implement network segmentation to limit the scope of potential reconnaissance activities.</li>
<li>Investigate any detected instances of AdFind.exe execution to determine the attacker's objectives and scope of compromise.</li>
<li>Enable Sysmon process-creation logging to activate the rules above.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>active-directory</category><category>reconnaissance</category><category>adfind</category><category>discovery</category></item></channel></rss>