Windows Adfind Exe

Description

This search looks for the execution of adfind.exe with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Discovery

MITRE ATT&CK Techniques

Remote System Discovery

Remote System Discovery

MITRE Threat Groups

APT3
APT32
APT39
BRONZE BUTLER
Deep Panda
Dragonfly 2.0
FIN5
FIN6
FIN8
Ke3chang
Leafminer
Rocke
Sandworm Team
Silence
Soft Cell
Threat Group-3390
Turla
Wizard Spider
menuPass

Data Sources

Endpoint Detection and Response

   Help

Windows Adfind Exe Help

To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search