Navigation :

Windows Adfind Exe

Description

This search looks for the execution of adfind.exe with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

This search looks for the execution of `adfind.exe` with command-line arguments that it uses by default. Specifically the filter or search functions. It also considers the arguments necessary like objectcategory, see readme for more details: https://www.joeware.net/freetools/tools/adfind/usage.htm. This has been seen used before by Wizard Spider, FIN6 and actors whom also launched SUNBURST. AdFind.exe is usually used a recon tool to enumare a domain controller.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Discovery

MITRE ATT&CK Techniques

Remote System Discovery

MITRE Threat Groups

APT3

APT32

APT39

BRONZE BUTLER

Deep Panda

Dragonfly 2.0

FIN5

FIN6

FIN8

Ke3chang

Leafminer

Rocke

Sandworm Team

Silence

Soft Cell

Threat Group-3390

Turla

Wizard Spider

menuPass

Data Sources

Endpoint Detection and Response

Help
Windows Adfind Exe Help To successfully implement this search, you need to be ingesting logs with the process name, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Help